A serious vulnerability in Discord's SDK allowed the game Arc Raiders to record users' private Discord messages and full account credentials in unencrypted local log files. The flaw meant that if the game crashed and logs were sent to the developer, Embark Studios, employees could potentially access that sensitive data.
Embark Studios has since released a hotfix, completely disabling the Discord SDK and assuring users no personal data was transmitted off their PCs. While the game developer patched the issue, some engineers argue the root cause lies with Discord's SDK failing to properly scrub sensitive information from its logs.
The main topics covered are a security vulnerability in Discord's SDK, its specific impact on the game Arc Raiders, the remediation actions taken by the game developer, and the attribution of fault for the flaw.
Arc Raiders was accidentally recording Discord conversations into an unencrypted local game file — vulnerability in SDK could log messages and credentials in plaintext
Thankfully, the issue has since been hotfixed by Arc Raiders, but the fault still lies with Discord
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
You are now subscribed
Your newsletter sign-up was successful
A computer engineer has discovered a serious vulnerability within Discord's SDK that allows games to store Discord DMs between players in game logs without any security measures. System engineer Timothy Meadows published a blog post, revealing an incident where Arc Raiders was storing DMs between two gamers in plaintext to a local log file. Thankfully, at the time of writing, the problem has since been hotfixed by Embark Studios.
Timothy discovered that Arc Raiders' Discord SDK was using a completely unencrypted bearer token and logs "all events" including any private conversations to the user's local drive without any encryption. A bearer token stores the user's Discord credentials, and anyone who gets this token has full access to the Discord user's account, including private DMs, friends list, and account settings.
This is made worse by the fact that if Arc Raiders crashes and the user sends log files to Embark Studios (the game's development team), the company's employees will have that user's full account credentials and any DMs that were sent to the log files.
Arc Raider uses the Discord SDK to show your Discord friends list in-game and invite Discord friends to the game. For this limited functionality, Timothy states the game only requires a "limited OAuth scope for game activity display." This would solve the issue and stop Arc Raiders from recording DMs to log files and storing a user's full account credentials to the game's log files as well. Some engineers who've inspected Discord's API say the issue lies solely with Discord, however.
I dug into the ARC Raiders Discord token leak issue; this might not be ARC Raiders or Embark's fault. Discord's new Social SDK has a logging hook you can override, and as far as I can tell Discord is failing to scrub log events of sensitive information. API: discord.com/developers/d...
— @eidolon.photon.institute (@eidolon.photon.institute.bsky.social) 2026-03-05T19:48:37.434Z
Thankfully, Embark Studios has since patched the issue with a hotfix. The game company assured users that no private or personal data was sent outside of gamers' PCs, and the company itself has not reviewed or kept any personal information that might have been sent to them. Embark Studios has completely disabled Discord's SDK and is conducting an audit to ensure that there are no other problems with the SDK.
This isn't the first time Discord has to deal with security issues. The social app was hacked by a ransomware group late last year, demanding $3.5 million from Discord's developers, and allegedly stole 70,000 government ID photos.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Aaron Klotz is a contributing writer for Tom’s Hardware, covering news related to computer hardware such as CPUs, and graphics cards.
Meridiano
