Update: Apple has taken the iForgot page offline “due to maintenance.” Now that it is safe, this is how it was done.
Update 2: iForgot is back online and the security hole has been fixed.
A “massive security hole” in Apple’s account management page discovered by The Verge allows anyone to reset your Apple ID password using nothing more than your birthday and email address, completely bypassing your security questions. The trick involves a modified URL that seems to fool the site into skipping the security questions and other verification steps, allowing anyone to gain access to your iTunes, App Store, and other Apple accounts within minutes.
If you use Apple’s iForgot page, you are directed to the options below after entering your email and DOB so it would appear that the hack gets around this.
Way to go Apple in getting everyone on board with the 2-step!