Timothy discovered that Arc Raiders' Discord SDK was using a completely unencrypted bearer token and logs "all events" including any private conversations to the user's local drive without any encryption. A bearer token stores the user's Discord credentials, and anyone who gets this token has full access to the Discord user's account, including private DMs, friends list, and account settings.
This is made worse by the fact that if Arc Raiders crashes and the user sends log files to Embark Studios (the game's development team), the company's employees will have that user's full account credentials and any DMs that were sent to the log files.
Steam client allegedly continues sharing your status with your friends even if you set it ‘Offline,’ report claims
Security researcher says AMD auto-updater downloads software insecurely, enabling remote code execution
User accidentally gains control of over 6,700 robot vacuums while tinkering with their own device
Arc Raider uses the Discord SDK to show your Discord friends list in-game and invite Discord friends to the game. For this limited functionality, Timothy states the game only requires a "limited OAuth scope for game activity display." This would solve the issue and stop Arc Raiders from recording DMs to log files and storing a user's full account credentials to the game's log files as well. Some engineers who've inspected Discord's API say the issue lies solely with Discord, however.
I dug into the ARC Raiders Discord token leak issue; this might not be ARC Raiders or Embark's fault. Discord's new Social SDK has a logging hook you can override, and as far as I can tell Discord is failing to scrub log events of sensitive information.
API: discord.com/developers/d…
Thankfully, Embark Studios has since patched the issue with a hotfix. The game company assured users that no private or personal data was sent outside of gamers' PCs, and the company itself has not reviewed or kept any personal information that might have been sent to them. Embark Studios has completely disabled Discord's SDK and is conducting an audit to ensure that there are no other problems with the SDK.
This isn't the first time Discord has to deal with security issues. The social app was hacked by a ransomware group late last year, demanding $3.5 million from Discord's developers, and allegedly stole 70,000 government ID photos.
Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/video-games/pc-gaming/SPONSORED_LINK_URL
- https://www.tomshardware.com/video-games/pc-gaming/arc-raiders-was-accidentally-recording-discord-conversations-into-an-unencrypted-local-game-file-vulnerability-in-sdk-could-log-messages-and-credentials-in-plaintext#main
- https://www.tomshardware.com/subscription
- Asus' excellent 4K OLED gaming monitor falls to its lowest ever price on Amazon — get a 32-inch dual-mode display for just $799
- Sovol SV08 Max review: Monster printer
- Asus GeForce RTX 5080 Noctua Edition review: Silent running
- New SemiAnalysis InferenceX Data Shows NVIDIA Blackwell Ultra Delivers up to 50x Better Performance and 35x Lower Costs for Agentic AI
- Claude Code deletes developers' production setup, including its database and snapshots — 2.5 years of records were nuked in an instant
Informational only. No financial advice. Do your own research.