When a computer engineer named Timothy Meadows examined Arc Raiders' files last week, he discovered something troubling: the extraction shooter was writing Discord direct messages in plaintext to log files on players' computers. This wasn't a deliberate spying operation. Rather, it exposed a significant failure in how third-party software integrations should be designed.
Meadows found that during gameplay of Arc Raiders, private Discord Direct Message conversations between two users were being written to a local game log file, and a full Discord Bearer authentication token was stored in the same log file. The Arc Raiders Discord SDK was connecting using a full user Bearer token, opening a complete Discord gateway connection identical to the one used by the Discord desktop app itself.
The design choice proved catastrophic to privacy. When players enabled Discord integration with Arc Raiders, Embark Studios used the full Discord Bearer authentication to access user data, and rather than filtering sensitive events, the SDK logged everything it received to disk. This was not a default setting; it only affected players who linked their Discord account to Arc Raiders through the in-game integration options.
Meadows allegedly brought this to Embark Studios' attention a month ago, and when the developer did not respond, he made the information available publicly. The developer responded quickly once the problem became public. Less than 30 minutes after Embark Studios announced the issue on Discord, the hotfix went live, and according to GamesRadar's testing, the hotfix fully resolved the issue.
Embark stated that private and personal data was not sent outside players' machines and that Embark had not and would not review or keep such information, and the team would disable the Discord SDK logging and conduct a deeper audit to ensure no further issues. This reassurance carries weight; the data remained local rather than being transmitted to company servers. Yet the situation highlights a broader principle about software design.
From a security standpoint, Embark's approach represented poor practice. Discord's own Rich Presence SDK is designed to only require a limited OAuth scope for game activity display; using a full gateway connection vastly exceeds what is needed for Rich Presence functionality. Game developers routinely integrate with third-party platforms, but this case shows why the principle of least privilege matters. The game needed only to display what players were doing; it should never have accessed their private conversations.
The response demonstrates a genuine dilemma in modern software development. Embark acted responsibly once the problem was public, prioritising speed and transparency. Meadows had already reported the issue privately a month before; when Embark failed to respond, public disclosure prompted immediate action. This raises a practical question: did the lack of a visible bug bounty programme contribute to the researcher choosing public disclosure? Accountability mechanisms matter, and companies that lack clear reporting channels may find security issues disclosed more openly than they would prefer.
The issue affected only players who had voluntarily linked their Discord account to Arc Raiders. Players who never enabled Discord integration faced no risk. This fact deserves emphasis because it shapes the actual scope of exposure, even if the underlying design problem remains inexcusable.
The Arc Raiders incident illustrates why integrating game accounts with social platforms requires genuine technical rigour. Embark moved quickly to fix the problem, acknowledged the seriousness, and committed to deeper audits. Yet the months-long delay between private disclosure and public fix suggests that transparency at the disclosure stage might have accelerated resolution. Reasonable people disagree on whether security researchers should disclose privately first or go public immediately. This case suggests the answer depends partly on whether companies provide accessible channels for private reporting.