Even though they only mentioned credit card and device identifiers, I'm sure Apple has much more information behind the scenes they don't make public, such as the account behavior, etc.
For example they could just look at the IP from which each account holder signed in, and may have found that they were coming from the same IP. In fact, it is very likely that they would have tried this, and if they did and found that the IP were different they probably wouldn't have been as confident about how they dealt with this case in my opinion.
For example they could just look at the IP from which each account holder signed in, and may have found that they were coming from the same IP. In fact, it is very likely that they would have tried this, and if they did and found that the IP were different they probably wouldn't have been as confident about how they dealt with this case in my opinion.