The flaw, in Passport’s password recovery mechanism, could have allowed an attacker to change the password on any account
to which the username is known. The simplicity of the attack method and
the high value of the data frequently stored in Passport
accounts–names, addresses, birthdates and credit card
numbers–combined to make the vulnerability critical.