[zaroth]

iCloud backups are not protected by your iCloud password. I know this because I've personally reset my password and then successfully recovered an iCloud backup to a new phone with the new password.

However, the auto-backup feature, which would have pushed the most recent data from the phone onto iCloud just by leaving the phone powered on... apparently that is disabled when the iCloud password is reset. Which makes sense if you think about it, the phone still has the old iCloud password, and it would need the new password in order to authenticate to iCloud. So they inadvertently disabled the backup feature by locking the phone out of iCloud!

The first question this raises is can the auto-backup be made to start working again by Apple changing their backend iCloud authentication code to specifically allow this device to login to iCloud with the "wrong" (old) passsword? That would not involve touching the phone and seems like a much cleaner solution. Unless there is code on the phone which disables or destroys the iCloud authentication token / stored password after encountering a login error, which really would surprise me, because API errors could be spurious, but I guess it's possible if they are looking specifically for an "invalid login" return code and then dumping the old token in order to trigger a UI prompt to enter a new password.

The second question is why are the existing backups a month and a half old? Doesn't this imply the device was not even turned on or connected to the network for that last month and a half?

The other interesting tidbit in the article is the statement the FBI was able to verify that the phone was never paired with any devices to obtain data. How in the world could they know that?

(Cross-posting this comment from another article, because it's more relevant here)