Have you turned on your Apple ID two-step verification yet? You’ll want to get on that. A report from The Verge indicates that if you haven’t, hackers can change your password with nothing more than your email address and your birthday.
Apparently, the exploit involves using a modified URL and then supplying the correct date of birth as the answer to a security question, at which point the password can be easily reset. A step-by-step guide to abusing the exploit is said to be out there somewhere, but The Verge has declined to link to it citing security reasons. The exploit only affects users who haven’t already enabled two-step verification on their accounts.
Given the relative secrecy of the method, we haven’t been able to verify the exploit first-hand, but you should go enable two-step verification anyway — exploit or not — just as a matter of general security. Some users are reporting up to a three-day wait to enable verification, and during this wait, accounts are reported to be vulnerable to the exploit. So, if you really, really want to be careful, the best bet is to go and change your birthday to one of your many unbirthdays. You can do that from your Account Settings, at the bottom of the page for “Password and Security”. [The Verge]
Update: The password reset tool is currently down for maintenance, so we can only assume any holes are currently being patched up.