Apple explains that it's "aware of intermittent organised network attacks using insecure certificates to obtain user information" via iCloud. So, in other words, hackers seem to be exploiting the fact that humans are occasionally dumb to steal their data, by duping them into believing they're visiting the real iCloud when in fact they're not.
That, of course, raises the question of how you do know if you're looking at the right site. Fortunately, Apple's put together a useful visual guide to help — and you can follow it below.
When you're connected to the real iCloud in Safari, you should see a green lock in the toolbar. Click it and it should say "Safari is using an encrypted connection to www.icloud.com. You're golden.
If it says "Safari can't verify the identity of the website", walk away. Quickly.
In Chrome, you'll again see a green lock icon in the toolbar when you connect to iCloud. Click it, and you should see a message confirming that it's a verified site.
If you ever see a red padlock and a warning that "your connection is not private", run away.
Finally, in Firefox, you should also see a green lock icon in the toolbar. Clicking it should throw up a message telling you you're all clear.
If you're told that "This Connection is Untrusted", scream and hit Back.
Notice a pattern? Don't be dumb, and check those green padlock icons. [Apple]