Your Discord DMs were briefly written to disk by Arc Raiders — Discord says it’s fixing the SDK

Your private Discord DMs and a full Discord bearer token were briefly written in plaintext to a local log file if you used Arc Raiders’ Discord integration – Embark rushed a hotfix, and Discord now says it will change its Social SDK and give developers stricter guidance.

• What happened: Arc Raiders’ Discord integration logged plaintext DMs, friend data and a full bearer token to a local file on PCs (researcher Timothy Meadows discovered it).
• Immediate fix: Embark disabled SDK logging and pushed a hotfix on March 5 after being notified March 4; it says nothing was exfiltrated.
• Platform response: Discord is updating its Social SDK with “additional protections” and will publish developer guidance to prevent similar logging mistakes.

Why this actually matters

Plaintext logs on your hard drive are boring-seeming until you think through the failure modes. The log file Timothy Meadows found (reported at a path like C:\Users\\AppData\Local\PioneerGame\Saved\Logs\discord.log) contained full direct-message text and a Discord bearer token – effectively a session key that can persist until a password reset or token revocation. Even if Embark and independent reporting (Eurogamer, GameStar, PC Games DE, Dexerto) show no evidence the data left players’ machines, those files can be scooped up by crash reports, bug-reports, other apps on the same PC, or malware. Local-only does not equal safe.

The uncomfortable observation the PR teams don’t want you to lead with

Both Embark and Discord are framing this as a misplaced debug-logging feature in the Discord Social SDK – and that’s true. But it’s also true that shipping production builds with developer logging enabled, or failing to scrub SDK events, is a preventable mistake. SDKs are convenience, not a substitute for safe defaults. When an SDK’s hooks are too verbose and a studio doesn’t override or disable sensitive logging, users pay the price. In short: blaming the SDK alone is a convenient narrative; the real lapse is in the stretch of default behavior plus insufficient developer-side vetting.

What the timeline and responses tell us

Meadows published his findings after testing the Arc Raiders integration; he notified Embark on March 4. Embark responded by disabling Discord SDK logging and shipping a hotfix the next day (March 5), saying the studio had not accessed or transmitted the logged data and that post-hotfix tests no longer produced the logs (Dexerto, Eurogamer, PC Games DE). Meadows’ original blog said the token could be used to access account data; reporting notes the initial claim about send-message ability was corrected — the bearer token primarily enables reading DMs, friends and server data and remains valid until the user changes their password or the token is revoked.

Discord’s statement (first reported via Eurogamer and Dexerto) accepts responsibility for the SDK contributing to the problem and promises to update the Social SDK with “additional protections” and provide guidance to developers about avoiding excessive or unsanitised logging. That response is important, but slower and higher-level than Embark’s hotfix: Embark patched the immediate issue same-day, while Discord’s fix will take the form of SDK updates and developer docs — changes that take longer to roll out and require game teams to adopt them.

The question I’d put to a PR rep

“Will you make production builds fail to compile or block shipping when a Social SDK’s developer/debug logging is enabled, and will you require a documented audit of SDK logging behaviour before integration is accepted?”

What to watch next

• Discord’s Social SDK changelog and release date — will the update include safer defaults or hard blocks for sensitive events? (This will show whether Discord treats this as a minor doc fix or a real product change.)
• Embark’s audit results — are there other SDK integrations with excessive logging, or was this isolated to a single logging flag?
• Community verification that unlinking/reauthorising Discord invalidates the token as Embark suggests; users should change Discord passwords and re-authorise if they were linked during the affected window.
• Whether other games using Discord’s Social SDK show similar logs in public tests — a repeat would indicate a systemic SDK default problem rather than a single-studio mistake.

Short-term practical steps: if you used Arc Raiders with Discord integration, unlink and re-authorise Discord, consider a password reset, and check for unexpected crash-report uploads or third-party tools that might read local logs.

TL;DR

Arc Raiders briefly recorded Discord DMs and a bearer token to a local plaintext log; Embark pushed a hotfix and disabled SDK logging on March 5 after Timothy Meadows’ disclosure. Discord will update its Social SDK and provide developer guidance — meaningful fixes depend on SDK changes plus studios adopting safer build practices. The key thing to watch is the SDK changelog and whether game teams actually turn off dangerous developer logging by default.