No, no, no. Absolutely no. They were never _believed_ to have access to millions of accounts. They _claimed_ to have access.
[doublepost=1490259773][/doublepost]
If Apple sends you an email, they have your name (or at least the name you supplied when you created your AppleID, which may not be your real name). They will address you with your real name. An email starting with "Dear client..." doesn't come from Apple. An email starting with "Dear Aleco" might be from Apple.
[doublepost=1490260216][/doublepost]
My personal recommendation is a password made of three personal items that _you_ can easily remember of which at least one is secret. Having three items makes brute force password cracking very difficult by sheer length. "Personal items" means that an automated attack against a badly protected database (one that stored hashed but not salted passwords) won't work because your password will be unique. The one secret item makes sure that someone attacking you personally isn't going to get in.
And use a password that is iPhone friendly and easy to type in
Plus use this password on sites that you trust to keep it secret. For example, if you book a hotel and they want some password, use a throwaway password.