It was actually a distributed campaign with multiple hackers with different methods but the main leaks were due to the following problems:
1. Bug in some Apple services allowed unlimited login attempts
2. Bug in Apple backup restoration function allowed bypassing multi-factor authentication (or was it confirmation email?)
This is all from memory, I might be wrong about the details. Anyway, that Apple initially blamed this on weak passwords and now phisihing clearly demonstrates what kind of PR circus this field is.
Just think about this: when Apple closed these holes (silently), attacks had been going on for 1-2 years. Towards the end there were fairly cheap and reliable hack-my-exs-iphone services on the darknet.
They caught the people responsible, and convicted them, as the Wikipedia page describes in detail at the end. The actual perpetrators acknowledged they'd sent phishing emails to gain access.
Whether or not there was brute force rate limiting available at the time (which seems unclear), that's not related to the specific events you brought up.
Security has always been like this. If you’ve ever tried to hop a fence or bypass a system, you know that it’s heavily stacked against the defense.
Defense needs to patch every hole. Offense just needs to find one hole. That doesn’t mean that it isn’t worth trying to defend, it just means that you need to be realistic.