Does your friend have the OTP? If so, the only way I can reasonably see their account being taken over is if they fell for one of the phising websites that mimic the Square Enix account log in.

There, you put in your Account name and PW, and the OTP code. Just that once allows the hackers to grab the info and log in quickly. Though it makes me wonder, if someone uses their OTP on a false SE website, how could the hackers then change their password? You need to use the OTP once to log into the account website as a whole, and do you also need to put it in again to change anything about your account settings?

The way I've seen SE handle things is that they expect account owners to be very careful with their information. Their added protection is the OTP, and if that is given out (freely or accidentally), it isn't SE's problem.