Apple ID security issue fixed, password page back online

The page was taken down yesterday, after reports of an exploit that could let hackers with a user's e-mail address and birth date change the user's Apple ID password. The company has fixed the issue.

Apple's two-step verification process, introduced Thursday.
Jason Cipriani/CNET

Apple has fixed the security issue involving its Apple ID password-reset page, a vulnerability that had made it possible for hackers with a user's e-mail address and birth date to reset the user's password.

Apple said yesterday that it was aware of the issue and was preparing a fix. Meanwhile, the company had taken the "iForgot" reset page offline for maintenance. Now the page is back up, and Apple has confirmed the fix with CNET.

The security exploit made use of a special URL that got around the need to answer a security question. Apple had added the question step last April.

The exploit didn't work on the accounts of users who had enabled two-step verification, which Apple introduced Thursday. That system does away with the security question in favor of sending a request for a four-digit PIN code to a cell phone. The user enters the PIN along with the typical password.

However, as reported by The Verge, a number of Apple ID holders were told they'd have to wait three days before they could enable the two-step verification setup. Also, at this point, the two-step system is available only in the U.S., Britain, Australia, Ireland, and New Zealand.

There are more than 500 million active Apple ID accounts, which are used for the company's various stores and online services, including iCloud.

Update, 9:40 a.m. PT: We just received official confirmation from Apple that the company has fixed the issue. This story has been updated to reflect that.