updated 03:47 pm EDT, Fri March 22, 2013
Two-step verification only current defense
(Updated with Apple disabling the iForgot password retrieval page) A new exploit lets people hijack an Apple ID account using only an email address and someone's date of birth, says The Verge. The process involves pasting in a modified URL while answering the date of birth question on Apple's password retrieval page. Doing this lets someone reset an Apple ID's password, locking out the original owner unless they can get Apple's help.
The only remedy to the problem appears to be the two-step verification process Apple introduced just yesterday. That forces people to enter a PIN code before changing account info, and the code is only accessible through Find My iPhone or a text message to a pre-registered phone number.
As a response to the exploit, Apple has disabled the iForgot webpage, used for password recovery and retrieval. Apple has not made any public comment on this matter, or given any timetable for the page's return.