A new exploit lets anyone who knows your birthday and e-mail address reset your Apple ID password, according to a new report.
The exploit, described by The Verge though not posted publicly, makes use of a special URL that gets around the need for a security question, a security measure Apple last April.
The reported exploit does not work on accounts with two-step verification enabled, which, and does away with the security question in favor of sending a four-digit PIN code to a cell phone that needs to be entered along with the typical password.
"Apple takes customer privacy very seriously," an Apple spokesperson told CNET. "We are aware of this issue and working on a fix."
In the interim, the company put its password reset tools into maintenance mode. Apple did not provide an estimate for when they would be back up again.
Account security is a touchy subject for Apple and any other tech company these days, especially after theof a technology journalist last year. That all kicked off with an iCloud account and eventually led to access of his personal e-mail and Twitter accounts. Apple and others have hardened their account security since.
Apple has more than 500 million active Apple ID accounts as part of its system. Those accounts are used for its various stores and online services, including iCloud.
Update at 1:30 p.m. PT to note that Apple put its password reset tools in maintenance mode, and once again at 3:25 p.m. PT with comment from the company.
Apple - USE TAG
reading•Apple ID password reset exploit reportedly in the wild
Dec 12•Queen's Bohemian Rhapsody crowned as most-streamed 20th-century song
Dec 12•iPhone XR photos, and how Portrait Mode works
Dec 12•What O-notch? Honor View 20 beats Galaxy S10 to in-screen selfie cam -- and 48-megapixel rear camera
Dec 12•iPhone XS, Pixel 3, OnePlus 6T and 20 other phones without headphone jacks