Agreed....
The number of people that have gotten reset notifications not initated by themselves make me believe the data was sold.
It's nice that someone on the internet agrees with me, but I was actually making a different point (not quite the opposite point, but close):
People get password reset notifications all the time. Typically you have no idea how they got your user id and/or email address to initiate the password reset.
But today everyone (well, Apple developers I guess) can point to this.
However, there's no way to tell from scattered reports whether people got the info from this researcher/hacker (whatever he is) or various other means. The info is public, so there are a lot of ways this information can be harvested.
Now, if there was a sudden up-tick in password reset notifications for Apple developer accounts then we could likely put two and two together. But scattered reports don't show this.
So we don't know.
I can tell you one thing for sure: it's not all developers getting password reset messages.