Depends upon where he got the userid and password. If it was somehow scarfed from Apple, they absolutely, they are at fault.
It not, then the blame goes elsewhere.
It's pretty straightforward. If someone has that 'find my phone' feature turned on, then gives up the userid/password for it, you can pretty much bet you're going to get screwed.
If you don't have the 'find my phone' feature turned on, it's not an issue.
From eBay. As far as I know, eBay does not save your iTunes ID and password, which means people were using the same information for eBay and iTunes. People should know better, and use different passwords for different accounts! I have the "find my phone" feature on in my iPads, as it is useful. My iPad was stolen a couple years ago, I remotely tracked it to a hotel and gave the information to the police. Then later I remotely wiped the data. The thief must have been scared, because it was anonymously turned in to authorities and I recovered it intact. "Find my phone" is useful.