Earlier today Apple took down its iForgot page after we reported that it was possible to reset a user password with nothing more than an email address and date of birth. Apple has now brought the site back online after fixing the problem. iMore first reported that the exploit, which involved manipulating a URL, was no longer active. We have been able to confirm this in our own testing.
We still recommend for the maximum security that you enable the new two-step verification if it is available in your country.