New security hole allows for Apple ID password reset using Apple's iForgot page [u]:

Just a day after Apple tightened account security by introducing two-step verification, yet another vulnerability has been exposed, one that could allow for malicious users to reset the Apple ID and iCloud passwords of others using only an email address and date of birth.

Update: Apple has pulled the "iForgot" webpage down for maintenance following reports of the vulnerability.