It's not that Apple was hacked; the problem is that millions of E-mail-address/password combinations have fallen into the hands of hackers. And those combinations are what Apple now forces you to use as your Apple ID, instead of letting you create a proper user ID. That is an ignorant policy.
Your E-mail address is on spammers' lists. When you cross-reference these lists with lists of common passwords, you get a boatload of cracked accounts. And when forced to set up a log-in ID that is an E-mail address, what percentage of the public thinks they have to use (or simply decide to use) the same password that they use for their E-mail account? I'm guessing at least a quarter. So now these sites put every user's personal E-mail account at risk, regardless of where it is. That's why this policy is a monumental security blunder.
If ANY service you use suffers a hack or information theft that includes your E-mail address and password, that combination can be used to access other services (like Apple's) that insist on this ignorant user-ID policy. And indeed, Apple confirmed that this is exactly what happened: "The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services."
Here's another example of how this policy sets Apple and its customers up for security breaches and stolen data: http://www.zdnet.com/article/severe-ios-bug-allows-icloud-password-theft
While in this case there's a software defect involved, it still demonstrates how a spammer (who of course already knows your E-mail address) only needs to acquire your password; he can auto-populate the "user ID" field with your E-mail address, making it look legit.
You don't see banks forcing you to use an E-mail address. Nor brokerages. Nor credit-card companies. Hell, even the most obscure comment forums let you set up a legitimate user ID. But not Apple.
Of course, Apple's not the only tech company making itself look like amateur hour online. Amazon has also "taken steps" in response to this attack, but has failed to fix the glaring user-ID problem. A while back, LinkedIn was caught uploading people's calendar appointments from their mobile devices, and compromising millions of users' passwords. The first of these was an unauthorized transmission of users' data (in clear text, no less), an offense against users (not to mention Apple's clearly stated policies). The second was just a failure.
But consider the source: LinkedIn joins Facebook, PayPal, and Apple in their requirement that your user ID be an E-mail address. The sheer ignorance of this policy undermines any security-related credibility its source might have.
Users shouldn't sit back and shrug this off. You don't need to roll over for businesses that steal your time and allow others to steal your identity or data. Use this form to tell Apple that this policy is unacceptable. Point them to this post or paraphrase it; we need to stop this ignorance.
You can read more about this debacle at The Next Web. And here's another massive data breach that's going to be much worse because of this asinine policy.
User IDs aren't the only playground for incompetence. Here comes United Healthcare, screwing up the password field with another offensive policy.