Apple may have finally added two-factor authentication, but a new exploit is putting Apple IDs at risk that two-factor authentication can't necessarily fix. Here's what you need to know.


The Verge is reporting that a new exploit, involving a small URL trick on Apple's iForgot page, will let anyone reset your password using just your email address and your date of birth. Since this information is so easy to come by, that means there are a lot of people that could change your Apple ID password. Two-step authentication would fix the problem, but as of right now, a lot of people aren't able to sign up for the new security feature. Ironically, Apple's citing "security reasons" for making people wait a certain number of days before they can sign up.


So how can you fix the problem if you haven't already enabled two-factor authentication? Change your date of birth to a fake date that only you can remember. Hopefully, Apple will fix the problem soon, and you'll be able to change it back. But for now, head to your account settings page on Apple's web site and change your birthday under the "Password and Security" menu. Hit the link to read more.

Update: Apple has thankfully shut down their password removal tool for maintenance, which means they hopefully got on top of this early and are fixing the problem.

Major security hole allows Apple passwords to be reset with only email address, date of birth | The Verge