I am no fan of apple but this man used phishing attacks to gain access to just 306 icloud accounts. That hardly seams a significant failing on apples part. He used the credentials of the victims so I'm not really clear how rate limiting should have played a role, you should be limited from accessing your own account?
Apple has made leaps and bounds on security including having 2FA mandatory but none of it matters when the user is convinced they are speaking to someone from apple who is telling them to read out the 2FA code and provide their details.
No warning in the world will help because the attacker will just say "Ok thats ok, that warning is just for untrusted people. Since I am an Apple employee, it is perfectly safe". These victims already trust the attacker so they will just do anything asked.
I think the only solution here is to just block all logins outside of the users own country and to have local law enforcement crack down hard on any in country criminals. Apple can use the find my location to work out if any of the users devices are at or have been at a certain location. I can't imagine many situations where you leave all of your devices at home, leave the country and then try to log in.
Was it really in a short time frame? It sounds like he was choosing some targets based on requests from other people. This sounds like he was doing this over quite a long time.
