Apple told ZDNet that iCloud was not compromised, and users should change their Apple ID password.
"Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store."
It's likely that the hackers managed to get access to the users' login information and simply used Find My iPhone to lock the devices.
To prevent your device from being hijacked, we strongly recommend that you enable two-factor authentication on your Apple ID, update your older, weaker passwords on iCloud and be sure to use a passcode on your iOS device as those devices with a passcode cannot be remotely locked.