From the “full story”
” The glitch was discovered last week by Ben Simo, a software tester in Arizona. Simo found that gaining access to people’s accounts was frighteningly simple. You could have:
guessed an existing user name, and the website would have confirmed it exists.
claimed you forgot your password, and the site would have reset it.
viewed the site’s unencrypted source code in any browser to find the password reset code.
plugged in the user name and reset code, and the website would have displayed a person’s three security questions (your oldest niece’s first name, name of favorite pet, date of wedding anniversary, etc.).
answered the security questions wrong, and the website would have spit out the account owner’s email address — again, unencrypted.”
Holy crap! That means the password reset is done client side.
But don't worry we gonna patch every one of them. We got digital superglue and masking tape.