If it's not related to the Apple ID thing, then it could be traditional credential stuffing, meaning that the same password / email got reused on another website that got leaked.
Discussion
2FA is probably the best stopper to problems like this, especially credential stuffing, but if it was a more in-depth hack, then maybe two-factor wouldn't help. It seriously just depends on how this occurred.