Whether you have an account with Mojang or one on Minecraft (or both,) the company is recommending you change those passwords. Yes, it’s more OpenSSL ‘Heartbleed’ fallout. The hot new security vulnerability that’s sweeping the nation.
Mojang says it has updated all OpenSSL services and acquired new SSL certificates, so the security loophole should now be closed. However, you should still change your Minecraft password.
Since uses of the exploit leaves no traces, there’s no way for us to guarantee that your password hasn’t been compromised. Therefore, if you typed in your password into any of our games or websites during the last couple of days we strongly advice (sic) you to change it. Even if you haven’t logged in, it can still be a good idea the to change your password.
As they helpfully point out, it’d probably be a good idea to change the password on any other OpenSSL sites you’ve logged in to over the past couple of days. Especially if it happens to be a bank.
Heartbleed has had a further knock-on effect, as Mojang is having to discontinue the ‘legacy’ launcher.
If you’re using a Minecraft version older than 1.6 you need to download the current launcher (version 1.3.11) from minecraft.net. The current launcher lets you play older versions of Minecraft as well so you can still play on your pre-1.6 servers.