The day after Apple introduced its new two-step verification aimed providing for a more secure Apple ID, The Verge uncovered a flaw that allowed anyone to reset your password if they had your email address and date of birth. If they had this information, directions surfaced on how pasting a special URL would allow individuals to exploit the vulnerability. This exploit affects customers who have not yet enabled two-step verification, so pretty much about everyone is at risk. While not their intention, Apple will likely see a surge in those seeking the added security of two-step verification.
Apple is aware of the issue and is working on a fix. In the meantime, the password reset tool as been disabled. This being the center point of the exploit, it appears Apple won’t re-open that tool until the exploit is sufficiently patched.
If you want to get a jump on the added protection of two-step verification, you can do so at My Apple ID.
Source: The Verge