With Hossain

#PolymarketDeniesDataBreach *#PolymarketDeniesDataBreach* is trending because Polymarket pushed back yesterday on claims that it suffered a major data breach. *What happened* 1. *The claim*: On April 27, 2026, a threat actor called “xorcat” posted on a cybercrime forum saying they leaked 300,000+ Polymarket records + an exploit kit. The data was allegedly pulled using undocumented API endpoints, weak pagination, and misconfigs. 2. *Polymarket’s response*: The company denied any breach of private data on April 28. They said: > "Part of the beauty of being on-chain is all our data is publicly auditable… this is a feature, not a bug. No data was leaked — it's accessible via our public endpoints & on-chain data." e4d6 Basically: The 300K records are public market/orderbook data that anyone can pull from their API for free. No emails, passwords, or wallet keys were exposed. e4d6 *The controversy* - *Critics say*: Even if the data is “public,” aggregating 300K user-linked records + publishing an exploit kit creates privacy/security risks. The exploit kit included pagination bypasses and WebSocket endpoints. - *Context*: This comes after Polymarket confirmed a separate issue 8 days ago where a third-party auth provider vulnerability led to some user accounts being drained. That was a real hack. The new claim is different. e4d6e3cee38e *Key points* - *No private user data leaked* according to Polymarket - *Data was scraped April 27* from public APIs - *Polymarket has no bug bounty program* and wasn’t notified before the forum post - *Debate continues*: Is scraping public on-chain data a “breach”? Polymarket says no. Security researchers say the API weaknesses still matter e4d67dd7e3ce So the hashtag is Polymarket denying that the 300K-record dump counts as a breach, since it’s all public data by design. e4d6