The Verge first wrote about the security hole, and Apple quickly took down the password reset page so it could fix the flaw.
Your Apple ID is the login you use to access iTunes and purchase music, videos, and apps. Millions of people have their credit card information tied to their Apple ID.
The flaw came to light a day after Apple enabled two-step verification for Apple ID logins. That means users have the options to receive a text message with a second unique password every time they want to log in. The process makes it more difficult for hackers to access your account because they'd need your cell phone too.