A new security vulnerability has been discovered that allows unauthorized users to gain access to Apple (AAPL) accounts that have not yet upgraded to the company’s new two-step verification feature. The exploit, as reported by The Verge, allows anyone to reset an Apple account password with only an email address and date of birth. This action is achieved through a modified URL accessing Apple’s own iForgot password support page. Users can protect themselves by turning on Apple’s two-step verification feature. The extra layer of security requires users enter a verification code that has been sent to a trusted device prior to changing any personal information.

UPDATE: Apple has acknowledged the issue and said it is actively working on a fix. The company’s iForgot password reset tool has been taken offline until further notice.