see this link:
https://support.apple.com/en-us/HT204316
security is up to you.
If you are using the same login and password for other services and those services get hacked then whoever has that info only needs to try it somewhere else. Authentication also relies on two factor authentication where another device will tell you when your account is being accessed (often with the location nowhere near your physical location but that's because it's not using your physical location, it's using your providers servers locations)
Use a unique password for this service.
Furthermore Apple will never send you an email saying dear customer, or dear user@att.net. If they are not addressing you by your real name then the legitimacy of getting an email from Apple about your iCloud is likely fraud to keep an eye out for.