There's an exploit in Minecraft that lets you login under someone's name without ever needing to know the person's password. All the attacker needs to do is get you to join his/her server once, and s/he can use your account for hours, days, possibly weeks afterwards. This client-side fix patches your game so that it won't let your server tell you to authenticate against a "blank" server ID. You can download a ZIP to install it like any other mod (put the files into minecraft.jar), or Windows users can use the setup program to automatically install the fix.
I fly a starship Across the Universe divide And when I reach the other side I'll find a place to rest my spirit if I can Perhaps I may become a highwayman again Or I may simply be a single drop of rain But I will remain And I'll be back again
It's not that secret anymore, especially since the fix has appeared on the web as of a day ago.
We discovered it a while ago but we didn't mention a word to anyone because I was trying to get Jeb to fix it. He did, kind of, but he made a mistake so it's only half fixed. But now the cat's out of the bag, so...