Ahem, what? There was nothing fake about it. There was a huge security hole (The webserver had global read access) and someone exploited it to obtain the key.dat files of everyone using the service. Then, presumably using a method which was later discovered by Ipqµarx, they were able to reverse the hashing on the key files either by knowing the server's mac address, or had enough of the key.dat files to use an algorithm to narrow down possible hashes and then brute force it effectively.
This is 100% accurate, except for mentions of hashing, which are not used in keydat generation at all. It's a simple combination of 2 things, one which can be easily obtained and the other one which is a bit harder to get. It's already publicly available on the forums if you look around for it.
Cowboy already proved that only the first few characters were obtained from it.
I find it highly unlikely that all of those keys were hijacked yet none of them have reported suspicious activity yet.
Ahem, it was the
last 3 characters that were shown. Not the first couple. It's possible to algorithmically generate the first 5, but the last 2 are actually the hardest to get, and the only way to get it without manually contacting the auth server is through the attack that I found. In other words, if they have the last 2 they have the rest as well. So yes, it is entirely possible that they got the full keys without actually using them.