After several blog posts and discussion over the recent Xoom Password Recovery Facility (see Easily Cracked Xoom Accounts?), Xoom has wisened up and fixed that feature.
Marhgil posted about it here after checking back on their system.
That was quite fast. At least they’re monitoring blogs or reading emails huh?