IE 11 is not supported. For an optimal experience visit our site on another browser.

Apple hit by password-reset security hole

PW exploit

Apple's password-resetting process has been taken down following the publication of a major security hole that allowed accounts to be accessed with just an email and date of birth. Apple is in the process of fixing the vulnerability.

The password-reset exploit, first reported by The Verge after they received an anonymous tip, involved pasting a certain URL into the browser while answering the date-of-birth security question. This would grant access to the iTunes and iCloud accounts associated with that email address, with which the attacker could do what they liked.

There is no indication of how long the hole has been available to be taken advantage of, or how accounts have been compromised.

Apple is working on a fix, but in the meantime has taken down the password-reset function. The company rolled out a two-step verification process on Thursday, allowing users to tie their account security to a device — but some users found that the feature would take three days to take effect, preventing them from using it as a way to avoid this security problem.

The company offered the following statement pending further announcements on the security hole:

Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix.

Update: The "iForgot" password reset page came back online late Friday evening, indicating Apple has patched the security hole.

Devin Coldewey is a contributing writer for NBC News Digital. His personal website is