Unauthorised server access with name using someone else's uuid

I am monitoring logs on my minecraft server donwoladed from https://www.minecraft.net/en-us/download/server
I extracted server-log4j2.xml from server.jar to allow more data being logged and running server like this:

java -Xmx32768M -Xms1024M -Dlog4j.configurationFile=file:./server-log4j2.xml -jar server.jar nogui

Recently I have tested usernames against uuids using mojang api.
I noticed that some hackers logged in to my server with username and uuid that belongs to someone else.
Data from server’s usercache.json:

    {
        "name": "lucnocity",
        "uuid": "d8c0443d-84fd-4288-9cfd-342ae4c725d6",
        "expiresOn": "2025-09-24 15:10:27 +0200"
    },
    {
        "name": "Luxnocity",
        "uuid": "39f85368-5b2a-4d68-b75e-4acad2bbbf41",
        "expiresOn": "2025-09-24 14:36:48 +0200"
    },

Those two players logged in together, but their uuids belong to someone else.

In api.mojang.com those users do not exits:
https://api.mojang.com/users/profiles/minecraft/lucnocity
https://api.mojang.com/users/profiles/minecraft/Luxnocity
and they logged in to my server.

And their uuids belong to someone else:
https://sessionserver.mojang.com/session/minecraft/profile/d8c0443d-84fd-4288-9cfd-342ae4c725d6
Bootsmcft
https://sessionserver.mojang.com/session/minecraft/profile/39f85368-5b2a-4d68-b75e-4acad2bbbf41
OptistickYT

My server properties are set to:

enforce-secure-profile=true
online-mode=true
prevent-proxy-connections=true

I don’t know how it happen, but banning those uuids or playernames may affect not guilty players.
It would be nice that mojang authorisation was fixed and prevented this from happening.