I wouldn't expect front-line support to be able to track hacker activity like this. They did what they needed to (locked the account and stopped further abuse). They wouldn't, and shouldn't, have access to server logs, and forensic analysis of malicious activity takes time and skill.
Even if they could determine the hackers' identity, they would absolutely not reveal this to the user without some kind of legal requirement such as a subpoena.

So it sounds to me that Apple did exactly what they should - dealt with a stupid user appropriately and stopped the actions. What's the problem (or the news!) here?

Don't get this, how could do this, unless his paypal account name and password were the same as the mobile me one? Or it was stored in his mobile me files?

Btw, there is no tie to paypal in mobileme, and only the last 4 of the credit card are used, with the security code unstored. I don't get this story at all!

I'd like to have the use of an OTP / token generator for mobileme. I'd pay a one time fee for a token generator.

IT expert? Yeah, right. He used an easy to guess security question and blames Apple for not requiring a second email address? Oh please?

Sure, Apple could require a second email - if you have one. But what if you don't? Bottom line is this was his fault. A poster on that page offers good advice - answer security questions with nonsensical answers. Just make sure you can remember them or keep the answers securely locked away.

Isn't that going a bit overboard to protect your email. I'm sure you'd love to type in a new password everytime you retrieved your email.

As for PayPal, perhaps they used the address to find an account, then did one of those "I forgot my password" things.

As a long time Paypal user I purchased a one time fee $5 security key and need it to login to my account. I wouldn't think of running my business without it.
This doesn't address the MobileMe issue but with all the Paypal phishing attempts and just plain good security practice I can only wonder why anyone wouldn't spend that 5 bucks.

Easy. Cheap-cheap-cheap.

Not to mention the "Oh, I'd never get fooled by some phishing attack!" excuse.

This just happened to me too. I am not kidding.

This is not a new problem and has been an ongoing issue for several years now. Apple, as typical, has refused to recognize it, or to assist by providing basic log file access that would allow for the problem to be investigated by users or law enforcement. My brother-in-law has a long dialog of e-mails with Apple about his account being hacked several years ago, which would help to prove a pattern of neglectful security behavior should anyone be able to round up a large enough group of Apple hacked victims to launch a class action suit. It seems that these days, the only way to get Apple to do the right thing by its customers is to sue them.

iDisk, syncing, iWeb update stability via me.com, and other problems plaque this service. Chatting with apple does no good. Snow Leopard made things worse. For 99$, it should be a lot better.