A computer engineer has discovered a serious vulnerability within Discord's SDK that allows games to store Discord DMs between players in game logs without any security measures. System engineer Timothy Meadows published a blog post, revealing an incident where Arc Raiders was storing DMs between two gamers in plaintext to a local log file. Thankfully, at the time of writing, the problem has since been hotfixed by Embark Studios.

Timothy discovered that Arc Raiders' Discord SDK was using a completely unencrypted bearer token and logs "all events" including any private conversations to the user's local drive without any encryption. A bearer token stores the user's Discord credentials, and anyone who gets this token has full access to the Discord user's account, including private DMs, friends list, and account settings.

This is made worse by the fact that if Arc Raiders crashes and the user sends log files to Embark Studios (the game's development team), the company's employees will have that user's full account credentials and any DMs that were sent to the log files.

Arc Raider uses the Discord SDK to show your Discord friends list in-game and invite Discord friends to the game. For this limited functionality, Timothy states the game only requires a "limited OAuth scope for game activity display." This would solve the issue and stop Arc Raiders from recording DMs to log files and storing a user's full account credentials to the game's log files as well. Some engineers who've inspected Discord's API say the issue lies solely with Discord, however.

I dug into the ARC Raiders Discord token leak issue; this might not be ARC Raiders or Embark's fault. Discord's new Social SDK has a logging hook you can override, and as far as I can tell Discord is failing to scrub log events of sensitive information. API: discord.com/developers/d... — @eidolon.photon.institute (@eidolon.photon.institute.bsky.social) 2026-03-05T19:48:37.434Z

Thankfully, Embark Studios has since patched the issue with a hotfix. The game company assured users that no private or personal data was sent outside of gamers' PCs, and the company itself has not reviewed or kept any personal information that might have been sent to them. Embark Studios has completely disabled Discord's SDK and is conducting an audit to ensure that there are no other problems with the SDK.

This isn't the first time Discord has to deal with security issues. The social app was hacked by a ransomware group late last year, demanding $3.5 million from Discord's developers, and allegedly stole 70,000 government ID photos.

