TL;DR: A security flaw in Arc Raiders’ Discord SDK integration was writing players’ private Discord direct messages and full authentication tokens to an unencrypted local log file on their PCs. Discovered by systems engineer Timothy Meadows on March 5, 2026, the issue was hotfixed by Embark Studios within 30 minutes of being reported. Discord has since confirmed it is updating its Social SDK and issuing new developer guidance to prevent similar issues. No data was sent outside users’ machines. If you linked Discord to Arc Raiders, you should still consider changing your Discord password as a precaution.
A security researcher has uncovered a significant privacy flaw in Arc Raiders‘ Discord integration — one that was quietly writing players’ private direct messages and account credentials to a plain-text log file sitting on their local PC.
The good news: Embark Studios issued a hotfix within 30 minutes of the issue being reported, and Discord has confirmed it is updating its Social SDK to add safeguards for all developers. The less reassuring news: the nature of the vulnerability meant that anyone with access to your machine — or any automatic crash report system — could have potentially read everything stored in that file.
What the Bug Actually Did
The issue was discovered and documented by systems engineer Timothy Meadows, who published a detailed technical blog post on March 5, 2026, outlining his findings after analyzing Arc Raiders’ local game files.
According to Meadows’ investigation, two separate but related problems were present. First, private Discord Direct Message conversations between two users were being written in plaintext to a local game log file. Additionally, a full Discord Bearer authentication token was found stored in the same log file.
That second point is the more alarming of the two. A bearer token stores the user’s Discord credentials, and anyone who gets this token has full access to the Discord user’s account, including private DMs, friends list, and account settings. In practical terms, it functions like a master key to your Discord account.
The root cause was a combination of how Discord’s SDK was implemented and how Arc Raiders configured it. The game’s Discord SDK was running in a verbose mode that indiscriminately captured chat data between users. Rather than filtering sensitive events, the integration logged everything it received from Discord’s gateway connection — including private messages that had no business being in a game log file at all.
Critically, the problem was made worse by the fact that if Arc Raiders crashed and the user sent log files to Embark Studios, the company’s employees would have potentially received the token alongside the crash report. Meadows also noted that malicious software on the same machine could harvest the token directly from the log file, and that third-party users who never agreed to Arc Raiders’ terms of service had their presence data written to other users’ logs without their knowledge.
Who Was Responsible?
The question of blame is more nuanced than initial headlines suggested. Some developers have pointed out this might not be entirely Arc Raiders’ or Embark’s fault — Discord’s new Social SDK has a logging hook that developers can override, and Discord itself appears to have been failing to scrub log events of sensitive information.
Discord’s own statement, shared with Eurogamer, framed the issue as stemming from “debugging features intended for developers building and testing Social SDK integrations” — language that places the origin squarely within the SDK’s design rather than any deliberate decision by Embark. That said, the configuration that enabled verbose logging at this level was ultimately present in the shipped game, affecting real players.
Meadows did issue one correction to his original post: he had initially suggested the bearer token could be used to send messages on behalf of the user. This was an error due to his misunderstanding of the permission rpc.voice.write, which only allows the token holder to change voice settings and does not permit sending messages as the user. The token still represents a serious credential exposure — just not quite as severe as first reported.
The Response: Fast, But With Questions Remaining
Embark Studios’ response was notably swift. A hotfix was deployed just 30 minutes after the issue was reported. The studio confirmed through Community Lead Ossen that no private data was sent outside players’ machines and that Embark had not reviewed or retained any such information. Embark also announced it had fully disabled Discord’s SDK while conducting a deeper audit.
Discord’s statement to Eurogamer confirmed the company became aware of the problem on March 4, worked directly with Embark to address it, and is now “providing guidance to developers and updating the Discord Social SDK with additional protections.” Discord is also communicating directly with other partners who have existing or in-development integrations using the same SDK — an acknowledgment that the risk is not limited to Arc Raiders.
The speed of the fix is genuinely commendable. But the fact that a game shipping to millions of players had verbose debug logging enabled in its Discord integration — one that captured private messages and authentication tokens — raises questions about the testing and review process that will be worth watching as Discord’s SDK becomes more widely adopted across the industry.
What Should You Do Now?
The hotfix is live and the immediate threat is resolved. However, given that the authentication token stored in the log file represented full account-level access, taking these steps is still advisable:
Change your Discord password. This will invalidate any previously stored tokens. Even with the log files now cleaned up, it’s the clearest way to close off any credential exposure that may have occurred before the patch.
Disable Arc Raiders’ Discord integration if you haven’t already, at least until you’re comfortable that the deeper audit Embark mentioned has concluded.
Check whether you use automatic crash reporting. If crash reports were submitted while the bug was active, it’s worth being aware that token data may have been included in those submissions — though Embark has stated no such data was retained.
Security and data privacy are becoming increasingly important considerations across the gaming industry — including in how AI tools interact with player data. Our breakdown of Microsoft’s Xbox AI Game Helper Patent looks at how that technology is being designed with those concerns in mind.
The Broader Context: SDK Security in Gaming
Arc Raiders has been one of gaming’s most remarkable success stories of the past year. The game has surpassed 15 million copies sold, generating over $500 million in revenue — figures that underscore just how large its player base is and why a privacy flaw of this nature warrants serious attention even if it turned out not to be malicious in origin.
The game was already facing community skepticism over its implementation of AI features, and this technical misstep — accidental as it appears to be — adds a concrete security worry to that list. The industry’s growing reliance on integrated SDKs for social features, achievement systems, and cross-platform authentication creates an expanding surface area for exactly this kind of issue. Discord’s commitment to updating its SDK and improving developer guidance is a step in the right direction, but this incident is a useful reminder that third-party integrations carry real risk that developers are responsible for vetting.
For an extraction shooter built around trust — where players cooperate, share resources, and communicate constantly — a DM privacy incident is about as bad a headline as it gets. Embark’s quick action helps, but rebuilding confidence will take longer than 30 minutes.
Elsewhere in gaming security and platform news, Nintendo’s accidental Mario Kart World Bob-omb Blast leak shows that not all unintended reveals have such high stakes — and Slay the Spire 2’s record-breaking Steam launch proves there’s still plenty of good news in gaming this week.