There's an exploit in Minecraft that lets you login under someone's name without ever needing to know the person's password. All the attacker needs to do is get you to join his/her server once, and s/he can use your account for hours, days, possibly weeks afterwards. This client-side fix patches your game so that it won't let your server tell you to authenticate against a "blank" server ID. You can download a ZIP to install it like any other mod (put the files into minecraft.jar), or Windows users can use the setup program to automatically install the fix.
It was a wicked and wild wind Blew down the doors to let me in Shattered windows and the sound of drums People couldn't believe what I'd become Revolutionaries wait For my head on a silver plate Just a puppet on a lonely string Oh who would ever want to be king?
It's not that secret anymore, especially since the fix has appeared on the web as of a day ago.
We discovered it a while ago but we didn't mention a word to anyone because I was trying to get Jeb to fix it. He did, kind of, but he made a mistake so it's only half fixed. But now the cat's out of the bag, so...