Phishing scammers have published more than 1,800 Minecraft usernames and passwords to the web. Mojang have already contacted everyone affected by the release and assure us that they’ve not been hacked.
If you’ve not been contacted by Mojang then you don’t need to change your password.
Phishing’s where someone convinces you to hand over private details, usually by pretending to be an official. In this instance, someone emailed Minecraft players claiming to be Mojang and asked them to confirm their account details. The phisher took those details, compiled a list and then published them to a phishers’ forum (phorum?).
You can reset your Mojang password just to be on the safe side by going to the reset password page. In future don’t release your password details, never ever, never ever, never ever: