Unlike your standard hack, which breaks into a game’s database and steals (or attempts to steal) usernames, passwords and account information, this incident has allowed people to log in to the game and play as somebody else.
The game’s authentication servers have all been taken down until the weak spot can be isolated and removed. “The hack does not expose your passwords or other personal details,” Minecraft creator Marcus “Notch” Persson wrote on Twitter. “It only lets you log in as anyone by doing something with the session it.”
“Exactly what that ‘something’ is, I haven’t understood yet. There’s [sic] emails going on between people who seem to understand it, though.”
The problem was first noticed a few days ago when Persson’s personal account was seen to be logging onto multiple servers that he hadn’t actually joined.
It’s important to note that the exploit does not appear to leave all users of the game vulnerable; only those who recently migrated their accounts to a Mojang account and log in using their email addresses.
UPDATE: That Mojang, it works fast. The servers are now back up, and “it’s no longer possible to login as someone else”.
Houston we have a Problem… [Mojang]