Earlier today Apple took down its iForgot page after we reported that it was possible to reset a user password with nothing more than an email address and date of birth. Apple has now brought the site back online after fixing the problem. iMore first reported that the exploit, which involved manipulating a URL, was no longer active. We have been able to confirm this in our own testing.
Apple confirmed the problem earlier today and said it was working on a fix. However, even after the company took down the iForgot page it was still possible to access the page via other means. The only way for a user to protect themselves from the exploit was to activate Apple's two-step authentication. Unfortunately, some users found themselves stuck in a three-day queue before they would be allowed to add it to their account. With the overall problem now resolved, those still waiting should be able to relax. However, we still recommend that all iCloud and Apple ID users activate Apple's two-step authentication as soon as possible — if it's available in your country, that is.