Strange activity, am I hacked?

We’ve noticed strange activity several days ago. Logs says that our real users quickly logged in one-by-one (read emails and IPs are replaced in output)

vaultwarden[1713]: [2024-12-07 05:30:08.947][vaultwarden::api::identity][INFO] User realuser01@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:05:18.777][vaultwarden::api::identity][INFO] User realuser02@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:41:00.006][vaultwarden::api::identity][INFO] User realuser03@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:41:33.373][vaultwarden::api::identity][INFO] User realuser04@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:42:02.927][vaultwarden::api::identity][INFO] User realuser05@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:42:31.712][vaultwarden::api::identity][INFO] User realuser06@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:43:03.977][vaultwarden::api::identity][INFO] User realuser07@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:43:17.424][vaultwarden::api::identity][INFO] User realuser08@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:43:29.859][vaultwarden::api::identity][INFO] User realuser09@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:46:13.015][vaultwarden::api::identity][INFO] User realuser10@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:46:37.277][vaultwarden::api::identity][INFO] User realuser11@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:46:45.533][vaultwarden::api::identity][INFO] User realuser12@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:46:59.415][vaultwarden::api::identity][INFO] User realuser13@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:47:07.683][vaultwarden::api::identity][INFO] User realuser14@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:47:17.279][vaultwarden::api::identity][INFO] User realuser15@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:47:25.040][vaultwarden::api::identity][INFO] User realuser16@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:48:29.542][vaultwarden::api::identity][INFO] User realuser17@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:48:37.553][vaultwarden::api::identity][INFO] User realuser18@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:49:13.503][vaultwarden::api::identity][INFO] User realuser19@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:58:20.033][vaultwarden::api::identity][INFO] User realuser20@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 10:58:49.200][vaultwarden::api::identity][INFO] User realuser21@domain.com logged in successfully. IP: 10.0.0.1
vaultwarden[1713]: [2024-12-07 11:00:52.753][vaultwarden::api::identity][INFO] User realuser22@domain.com logged in successfully. IP: 10.0.0.1

Check the Vaultwarden Admin Backend and see if there are any configuration errors.
/admin/diagnostics

And mainly check the IP Header check.
You probably made a configuration error regarding this.

Thank you very much for reply. I’ve got one diag “red” filled. 2FA Connector calls: - Header: ‘content-security-policy’ is present while it should not

My installation is vaultwarden container behind nginx reverse proxy. My users got notification emails about successful logins via Firefox browser.

What I should do ?

I would suggest to check your reverse proxy logs too.
Must be something there which might indicate what the issue is.