Apple rolled out a much need security enhancement called two-step verification for your Apple account password reset page, then left a hole in the process– now fixed.
Nick Arnott on iMore:
Previously, after providing a victim’s Apple ID and date of birth, an attacker could send a URL to Apple that would change the password for that account, without needing to answer any security questions. In response, Apple blocked access to the password reset page, and a short while later took the entire site down in light of another loophole that still allowed the attack to be performed.
It’s back up and works.