ersocaster
Member
We just don't have enough data to know one way or the other.
That said, having dealt with Apple over the years at various jobs from a partner/customer/vendor perspective, they suck at the internet way more than most would expect. They put a pretty face on their services, but their back-ends are a mess. They outsource a ton of their infrastructure for their cloud services. Their APIs are a mess, inconsistent, poorly documented and riddled with 3rd party software that their support knows nothing about. I wouldn't be terribly surprised if someone figured out an obscure exploit to grab others' photos.
Edit: Just to clarify, because I realize that reads as particularly harsh, everyone 'sucks at the internet' to some degree, even Google. Also, I can pretty much guarantee security people at quite a few other companies besides Apple are losing sleep tonight over this.
They are not losing sleep if this all stem from that API issue. Any public API containing sensitive information should never accept direct input of credentials. You need an authenticator that allows the user to authenticate themselves without any application having direct access to their credentials other than the source of the information being requested (in this case, Apple).