The flaw, in Passport's password recovery mechanism, could have allowed an attacker to change the password on any account to which the username is known. The flaw was disclosed late Wednesday night on the security mailing list Full Disclosure.

The simplicity of the attack method and the high value of the data frequently stored in Passport accounts combined to make the vulnerability critical.

"We can and must do better." - Bill Gates