Either you didn't read the page you linked or are deliberately lying, the API issue is speculation we know now that it was predominantly spearphishing.

All from the same article:

>"Apple claimed in a press release that access was gained via spear phishing attacks."

> "Apple later reported that the victims' iCloud account information was obtained using "a very targeted attack on user names, passwords and security questions", such as phishing and brute-force attack guessing."

>"Court documents from 2014 indicated that one user created a fake email account called "appleprivacysecurity" to ask celebrities for security information."

>"During the investigation, it was found that Collins phished by sending e-mails to the victims that looked like they had been sent by Apple or Google, warning the victims that their accounts might be compromised and asking for their account details. The victims would enter their passwords, and Collins gained access to their accounts, downloading e-mails and iCloud backups."

>"In August 2016, 28-year-old Edward Majerczyk of Chicago, agreed to plead guilty to a similar phishing scheme, although authorities believe he worked independently and he was not accused of selling the images or posting them online."

>"Garofano's attorney said he had been led into the phishing scheme by criminals."

>"Through a phishing expedition[further explanation needed], he hacked more than 200 people"

All of the other methods of compromise are speculation, what has been unambiguously proven in a court of law over and over again was phishing.