Chris Welch for The Verge:
Apple yesterday rolled out two-step verification, a security measure that promises to further shield Apple ID and iCloud accounts from being hijacked. Unfortunately, today a new exploit has been discovered that affects all customers who haven’t yet enabled the new feature. It allows anyone with your email address and date of birth to reset your password — using Apple’s own tools.
The only way to secure your Apple ID until you get two-step verification is to change your date of birth to something bogus. I’ve done it and you should, too.