There have been recent stories about how thieves were looking at people entering their passcodes into their phones, snatching the phone when it was unlocked and using the pin to disable iCloud/Find My.
...You can't use the device PIN to disable iCloud. You have to put in the iCloud password. And you really do have to put it in; even if the iPhone is unlocked, security features like that always require the password.
I think they were doing something like going to settings -> Apple ID try to change the password incorrectly many times (or something like that). That would basically lock you out of your own iCloud account (at least for a while) so you couldn’t lock or track it via find my.
I recommend using the “Screen Time” feature on iPhones to protect against this. You can basically set a _different_ 4 digit pin to access some of the settings of the iPhone, including the Apple ID one. (The setting becomes grayed out and inaccessible until you disable screen time).
So it’s possible, and there’s countless articles explaining how.
But at face level… your phone is so personal that it’s pretty easy to mess with basically all of your life.
When you have someone’s unlocked phone, you can usually get access to their emails, and use that to reset most accounts. Finances, social, emails, often work etc.
This is exactly how it works. If a thief knows the passcode (be it numerical or more complex), he can change your iCloud Account password without knowing the current password and disable Find My without.
Apple acknowledges this and seem to be ok with it [1].
