Unfortunately, today a new exploit has been discovered that affects all customers who haven't yet enabled the new feature. It allows anyone with your email address and date of birth to reset your password — using Apple's own tools. We've been made aware of a step-by-step tutorial (which remains available as of this writing) that explains in detail how to take advantage of the vulnerability. The exploit involves pasting in a modified URL while answering the DOB security question on Apple's iForgot page. It's a process just about anyone could manage, and The Verge has confirmed the glaring security hole firsthand.
Of course, we're not linking to the instructions on how to do this; however, we would suggest that you enable the two-step verification system that Apple introduced yesterday.
Unfortunately, not everyone can implement two-step verification due to their locations or delays on Apple's side. The only other way to avoid the exploit would be to set a fake birth date for the time being.