as they issued a patch very recently. The loophole wasn't on iCloud logins per se but was actually on the "Find my iPhone" service. Unfortunately that uses the same password as iCloud so once the attacker used brute force to get it on that service they could then go login elsewhere to find the data they are seeking.
But as you said "if true", meaning it is still up in the air on whether this is how all these photos got out. The initial poster claimed use of iCloud but I'm reading on many sites that the phones in the pictures are often Android and BB devices. That suggests iCloud is not the only culprit (if at all) and we could be looking at other potential security breaches that haven't been patched. Or, as some celebs claim, many of the photos are faked meaning the claims against security loopholes are likely untrue as well.