Maybe I’m missing something here. Reading this over, Scott Hanselman’s password was clearly hacked. He doesn’t seem to think that’s the case because he’s cautious, but I’m going to go with Occam’s Razor here.
Apple prompts you for your password when buying apps and when doing in-app purchases. Someone would have had to both know your Apple ID and enter that password, unless there’s some in-app exploit, but he doesn’t seem to be suggesting that.
But what Hanselman, who happens to work for Microsoft, seems most upset about is that Apple sent him a email warning him of strange activity on his account, but worded it in a way he didn’t like. And then they locked down his account with wording he didn’t like. And they made him go through iTunes to double-check his activity.
And he doesn’t like that Apple knows what device he has, but let the download happen anyway. I mean, people buy new devices all the time. What’s the proposed solution here? The perpetrators clearly had the correct Apple ID and password. I’m not sure what you can do to protect against that. Kill the cloud?
Update: Matt Galligan brings up a great point below. Apple also prompts you for your credit card’s security code on new devices.
Update 2: John Gruber notes that since Hanselmen was using a PayPal account, the credit card security code wasn’t in play.