What's the bet this turns out to be a case of users using the same passwords across multiple sites and their (eBay perhaps?) password being compromised which is also their iCloud password etc.
We'll probably see more of this with many other online services where people used the same credentials on multiple systems - i.e. not something specific to Apple?