The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.
It’s worth noting that the vulnerability did not allow access to iCloud passwords, it only permitted repeated guesses or an automated dictionary attack. In order for it to succeed, relatively weak passwords would need to have been used on the accounts accessed.
As a lot of celebrities know each other, it’s likely that once one account was compromised, contacts data could be used to identify the email addresses of other celebrities, doing the same thing with each account accessed.
While the tool only appeared on Github two days ago, its author or others may have had access to it for far longer, potentially explaining the reported publishing of photos deleted by their owners some considerable time ago.
As with any online service, it’s always advisable to use strong passwords and two-factor authentication.