There have not been any breaches in any of Apple’s systems including iCloud and Apple ID. The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.
We’re actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication.
Because of shared passwords, hackers frequently use details obtained in other breaches to try and access more valuable accounts, which may be happening here. Previously, we’ve seen hackers try to extort users directly this way, using Find My iPhone to remotely lock devices until they’re paid. We’ve contacted Apple and will update this post if there are any other details.
Now that at least some of the information has been verified, it seems like a good time for anyone who has (or used to have) an Apple or iCloud account to update and lock down their security settings. Even if these hackers (or someone else) has obtained a password for your account, using two-factor authentication should keep them from being able to access details or remotely wipe devices.
Instructions on setting up two-factor authentication for your Apple ID can be found here. Additionally, if you haven’t changed your password in a while, or have ever shared it with an account anywhere else, it’s a good idea to change it to something strong and unique. Visit Apple’s password reset page at https://iforgot.apple.com/ (check for the secure padlock and correct URL in your address bar) to do that now.