Hacker group claiming to have millions of valid Apple log-ins and demanding $75,000 underscores risks of credential stuffing.