There's an exploit in Minecraft that lets you login under someone's name without ever needing to know the person's password. All the attacker needs to do is get you to join his/her server once, and s/he can use your account for hours, days, possibly weeks afterwards. This client-side fix patches your game so that it won't let your server tell you to authenticate against a "blank" server ID. You can download a ZIP to install it like any other mod (put the files into minecraft.jar), or Windows users can use the setup program to automatically install the fix.
I was a highwayman. Along the coach roads I did ride With sword and pistol by my side Many a young maid lost her baubles to my trade Many a soldier shed his lifeblood on my blade The bastards hung me in the spring of twenty-five But I am still alive.
It's not that secret anymore, especially since the fix has appeared on the web as of a day ago.
We discovered it a while ago but we didn't mention a word to anyone because I was trying to get Jeb to fix it. He did, kind of, but he made a mistake so it's only half fixed. But now the cat's out of the bag, so...