Well, they confirmed that there are some signs of a hack. I believe they do have the logs of the user account. They can check weather the 2FA was disabled for a certain period or the 2FA was activated before the hack. If 2FA was activated from the beginning, yet someone was able to access his account, isn't it concerning for the BC game? This can happen with other players as well.

I can think of three scenarios here. The first one is, someone from OP's family used their device to get the OTP and successfully logged in to their account (but BC support said they found a login from a different location). The 2nd one is, OP is telling lie about the case (this is unlikely because BC already found the sign of hack), and the 3rd one is, the security system was breached somehow.