A significant security vulnerability has been identified in Arc Raiders, according to a security expert, raising concerns about the potential exposure of private Discord messages, friends list details, and other sensitive player information. Embark Studios has announced that they are “conducting a deeper audit” to address the issue.

Timothy Meadows, a distributed systems engineer and technical blogger, reported earlier this week that Arc Raiders appears to be storing private Discord messages, friends list presence data, and Discord Bearer Authentication tokens in local log files when the game’s Discord integration feature is activated.

In his analysis, Meadows detailed that he discovered private Discord Direct Message (DM) exchanges between users being recorded in plaintext format in a local game log during gameplay. He also found a complete Discord Bearer authentication token stored within the same log file, highlighting significant privacy concerns for all players using the game’s Discord integration.

Meadows explained that the issue arises from the functionality of the Arc Raiders Discord SDK (software development kit). When players enable Discord integration, the SDK utilizes the full Discord Bearer authentication token to retrieve various data. This token acts as an encrypted key providing access to specific data on Discord, yet it appears to log more information than anticipated, including private messages. Meadows noted, “Instead of filtering out sensitive data, the SDK logs every event it receives to the disk.”

If Meadows’ findings are accurate, it implies that private conversations generated while playing the game are written to local storage, and these log files could inadvertently be included in crash reports or bug reports, potentially accessible to other applications on the device. Thus, individuals with access to the machine or these reports could potentially read private conversations and other sensitive information.

In his posts on social media, Meadows expressed his attempts to notify Embark Studios but found the link to their bug bounty program dead and unlisted in the Intigriti catalog. He emphasized, “There is a significant security issue with Arc Raiders’ Discord SDK integration that risks exposing players.”

In response to the findings, a statement on the official Arc Raiders Discord server indicated that a hotfix is being developed. The message reassured players that their personal data has not been transmitted outside their machines and that Embark has neither reviewed nor retained any such information. The company intends to disable the Discord SDK logging and is undertaking a thorough audit to prevent any further issues. Players with concerns are encouraged to contact the support team.

Meadows also advised users to promptly change their Discord passwords, refrain from sharing log files, and disable Discord integration in Arc Raiders until the problem is addressed.