Let me guess. Their password was password.
LOL! Nope, can't be under Apple's requirements for Apple's iCloud passwords. Those have to be at least eight characters, include an upper and lower case alphabetical character and at least one number and one keyboard symbol. There are 223 possible characters that can be accessed from the Apple keyboard. That's 8223 = 2.44944165532867 X 10201 possible combinations of characters one could use. . . if one just stuck to eight characters. As the affidavit requesting the search warrant stated, the miscreant did not get in by guessing their passwords. He merely PHISHED them through email, or researched them in Fanzines, and used the "I forgot my password" to change their original password to one of his choice to get in.
One apparent consistency was the iCloud victims found themselves locked out of their own accounts with their passwords no longer working. Later, they found their private nude photos for sale on 4Chan and Reddit among 2000 other celebrities.
I have helped many relatives and friends to resolve problems on their computers. Lots of them are idiots. They either create no secure accounts, or use the default administrator account... with no password. And when they do create a password for Internet accounts, it's something safe that no one would think of, like "54321", their birthday or their kid's name. And they write it down on a piece of paper taped to the computer. Despite warnings, they don't learn to use safe practices.