I see no mention of notifying Mojang. And even if they did and Mojang is late with patching, I don't think it's very nice to post a public report on a weekend. Mojang is still a comparably small company and I'm sure nobody there is thrilled about fixing security flaws over the weekend.<p>This is, IMHO, not totally what I would call responsible disclosure.
"UPDATE: Woohoo! Things are back up and running perfectly! Thank you all for being patient while things were fixed. Also major props to Grum, Dinnerbone, and Leo who were out of bed and in to action in the blink of an eye!"[0]<p>[0] <a href="http://www.mojang.com/2012/07/houston-we-have-a-problem/" rel="nofollow">http://www.mojang.com/2012/07/houston-we-have-a-problem/</a>
I'd have thought ensuring a session ID was only valid for a single account would have been the first thing to test when developing an authentication system. Perhaps not in Sweden.