A major security hole was discovered in Apple’s password reset functionality that let anyone with your email address and date of birth reset your password. Apple quickly took the Forgot Password page offline and said it was working on a fix.
Apple has now fixed the security hole and brought the password reset page back online. The procedure to exploit the vulnerability was fairly simple, requiring a person with malicious intents to enter your email address and date of birth, hit a specific URL to reset your password, thereby bypassing the security questions altogether.
Users who did have two-step verification enabled weren’t affected, but many of them were put in a three day waiting period. Moreover, the feature hasn’t yet been rolled out to all countries. We recommend you put in a request with Apple to enable two-step verification right away, so there are less chances of exploits like these affecting you.