Sounds like Apple should be able to plug this in no time by:
- Immediately giving you the option to say you did not request this and to block any new incoming password requests (with increasing intervals)
- Log patterns (ip addresses, etc) of requests that were denied (it wasn’t me option) and block these, so new attacks can’t be started by this attacker
- Put a rate limit on the password reset form