my devices were unlocked at the applestore last weekend, they really do need the receipts as the department in california generating the unlockcodes are severely paranoid and wont do a thing if you dont have a receipt, which partially makes sense as it is an anti theft lock.
in my search for a solution i did find out several things:
1: icloud isnt really hacked, the so called hackers have bought an email database which comes from other sites that have been hacked. when you use the same login and password at multiple sites big chance they got it from there
2: 2Fa security doesnt help, they dont need this to set the devices as stolen.
3: you can check on https://haveibeenpwned.com/ if your login and password have been breached. you only need to enter your login and you can see exactly where they got it from. mine was in there 4 times for example.
4: the only solution so far is to use a unique password that you havent used anywhere else. my advise would be to use a different one at each site/software where you have to login