ARC Raiders' Discord SDK Leak: How a Game Logged Your Private DMs in Plain Text
security4 Min Analysis

ARC Raiders' Discord SDK Leak: How a Game Logged Your Private DMs in Plain Text

A
Source: Aspov Team
Verified: 3/6/2026

The Viral Discovery That Shook Gaming

When Timothy D. Meadows, a distributed systems engineer, fired up ARC Raiders for some testing, he wasn't expecting to uncover a privacy nightmare. But there it was: private Discord direct messages, logged in plain text on his local machine. This wasn't some obscure bug; it was a critical security flaw affecting every player who linked their Discord account to the game. The logs weren't just capturing metadata—they were saving full conversations, friend lists, and even authentication tokens. Meadows' blog post went viral fast, sparking outrage and forcing developer Embark Studios into damage control mode within hours.

How the SDK Went Rogue

At the heart of this mess is Discord's SDK, a tool meant to enhance social features in games. In ARC Raiders, it was integrated to allow voice chat and presence updates. But something went terribly wrong in the implementation. Instead of filtering out sensitive data, the SDK was dumping everything into a local log file at C:\Users\\AppData\Local\PioneerGame\Saved\Logs\discord.log. This included:

  • Full private DM conversations between users
  • Discord Bearer authentication tokens (initially misreported as allowing message sending, but still a risk)
  • Friends list presence data
  • Overly broad gateway connection scopes

The logs were written silently, with no user notification, turning a gaming session into a surveillance operation. For players, this meant any application with read permissions on their PC could potentially access these files, exposing private chats to malware or other software.

The Technical Breakdown: What Went Wrong

Meadows' analysis points to a cascade of failures. The Discord SDK version used (commit 3b8f3adce7dd1d85463aa700d9185676633e98a1, version 1.8.13395) was configured with excessive logging scopes. Normally, SDKs should sanitize data, stripping out sensitive information like tokens and private messages. Here, that sanitization was either missing or misconfigured. The authentication token, while not as dangerous as initially thought, still posed a risk—it could allow changes to voice settings, a foothold for further exploits.

"These findings represent serious privacy and security violations that affect all players using Discord integration with the game." — Timothy D. Meadows

Embark Studios responded quickly, promising a hotfix and noting the data never left local systems. But that's cold comfort when the breach happened at all. The studio's statement about "excessive user information" logging hints at a lack of proper audit trails during development. In a world where data privacy is paramount, this oversight is glaring.

Broader Implications for Gaming and Security

This isn't just about ARC Raiders. It's a wake-up call for the entire gaming industry on how third-party SDKs are integrated. Games increasingly rely on tools like Discord's SDK for social features, but without rigorous security reviews, they become vectors for data leaks. The incident exposes a gap in developer practices: assuming SDKs are safe out-of-the-box. In reality, they require careful configuration and testing to avoid exposing user data.

For players, the risk extends beyond this one game. If a major title like ARC Raiders can slip up, others might too. It underscores the importance of scrutinizing permissions when linking accounts and being wary of what data games might be collecting locally. Security researchers like Meadows play a crucial role here, acting as watchdogs in an ecosystem where studios might prioritize features over safety.

Lessons and the Path Forward

What can we learn from this? First, never trust third-party integrations blindly. Developers must audit SDK implementations thoroughly, especially for data handling. Second, local storage isn't safe storage—just because data stays on a device doesn't mean it's secure from other apps or users. Finally, transparency is key. Embark's quick response is commendable, but proactive measures could have prevented this.

As Embark conducts its "deeper audit," the gaming community will be watching. This incident should spur more rigorous security protocols across the industry, from indie studios to AAA giants. After all, in an age where privacy is currency, letting games log your DMs is a breach no player should have to accept.