What I don’t understand and this article never mentions (which is either disingenuous or poor journalism) is how these hackers gained access to the Apple accounts.
The phone passcode/PIN and Apple account passwords are separate. If someone were to glean your PIN (as implied by the article), that does not give them access to your Apple account. It may give them access to your phone and almost everything on it, then further bad security practices may lead to them accessing the Apple account.
So these people either also got phished on top, or they had their Apple account password insecurely stored on their phone.
I’m not saying Apple couldn’t do more to help these people but having a platform to recover accounts with identity verification is also a vector of attack.
At what point is this just a failure of personal responsibility? The thief is to blame first and foremost, but Apple can’t force you to be educated on and make sound security practices.