Let's walk through the process of how this Find My iPhone compromise would have played out to obtain the photos, if this is in fact the way these recently leaked photos were obtained.
1.) The attacker uses a script, "Python" to obtain the iCloud victims password.
2.) The attacker then configures an iOS device, Windows PC with iCloud or Mac with iPhoto or Aperture to login to the iCloud account of the victim. There is no web interface to view these photos.
3.) Once the attacker authenticates the device or application in the previous step the victim is notified, on all of their devices and via email, that a new device, the attackers, has been authorized on the victims iCloud account. To my knowledge there is no way to disable this notification.
This would mean, if this was the way these photos were obtained, that the victims would have been notified of another device connecting to their account and could have changed the password or disabled the authorization.
Have any of these victims validated that these photos were only available through their iCloud account? Could they have been obtained through another web service? For example, when you install Dropbox on iOS it provides an option to automatically upload photos taken on the device to Dropbox, could that have been the vector that was used to obtain the photos? I believe the Google+ app provides this same functionality, automatically backing up the photos to the Google service. Both of these web services, if the victim used the same username & password as an iCloud account, provide a web interface for viewing photos.
