[2020] My cousin’s account is disabled after not playing for a while. Whoever got a hold of it changed the registered email and added an Authenticator. He also got a message that his password was involved in a data leak??? After many denied recovery requests, what options are left?

In this situation, recovering the account is the only way to set a new email and pass, and then disable Auth via the new email address. When a recovery attempt is denied they should indicate the reasons and information that needs to be improved.

If the deny response comes very quickly, that means the information is so weak that it hasn't even passed a very basic security check - that can happen if you are trying to recover the wrong account. If the response takes a little longer then it is good news, it means it has passed basic checks but is still not quite enough to be granted.

Focus on info that only the owner is likely to know, creation ISP, location, billing history, contact emails, contact postcodes, bill payers names and so on ... and always try to give the OLDEST information you can recall. If you can, avoid giving information that is known to a hijacker, for example the password that the hijacker knows. Submit the recovery request from the device and connection that you most commonly used to access the account in the past if you can.