Thank you for pointing this out—I appreciate it and have upvoted your comment. My original complaint was based on my memory of the 2014 iCloud celebrity scandal involving passwords. As I recall, there was a security issue where hackers exploited the “forgot password” mechanism. I believe Apple had very lax mechanisms in place at the time. However, since this wasn’t a complete compromise of iCloud, I’ve removed that detail from my main point to make it clearer.
It was hackers ringing up phone companies, acting as celebrities or agents and asking for replacement SIMs. Or pretending to be Apple Support. And then social engineering around the MFA process. Apple’s security was on par with everyone else in the industry.
In 2014, Apple had an iCloud issue with a vulnerability in Apple's Find My iPhone API, which lacked rate-limiting, allowing attackers to perform brute-force password attacks without restriction. Apple denied that this was the cause of the celebrity photo releases, but they also patched several bugs relating to security and began promoting two-factor authentication.
