There's an exploit in Minecraft that lets you login under someone's name without ever needing to know the person's password. All the attacker needs to do is get you to join his/her server once, and s/he can use your account for hours, days, possibly weeks afterwards. This client-side fix patches your game so that it won't let your server tell you to authenticate against a "blank" server ID. You can download a ZIP to install it like any other mod (put the files into minecraft.jar), or Windows users can use the setup program to automatically install the fix.
And then, the archangel showed a vision: a city, lighter than air. I asked her, "Why do you show this to me, archangel? I'm not a strong man. I'm not a righteous man. I'm not a holy man." And she told me the most remarkable thing: "You're right, Prophet. But if grace is within the grasp of one such as you, how can anyone else not see it in themselves.
-Zachary Hale Comstock
Note: I oftentimes respond to questions with inspirational quotations, it's my means of communicating
It's not that secret anymore, especially since the fix has appeared on the web as of a day ago.
We discovered it a while ago but we didn't mention a word to anyone because I was trying to get Jeb to fix it. He did, kind of, but he made a mistake so it's only half fixed. But now the cat's out of the bag, so...