it’s hard to say from your description. I would recommend following How to maintain, check and improve the security of your Nextcloud installation. First step is definitely fast upgrading to the *latest minor version" available and adding MFA mfa
To analyzing the situation must review your logs. If you have auditlog app installed it is quite easy to see all user logins and actions including file uploads and downloads. If not you can get this data from nextcloud.log but it harder. I would stark checking for unknown IPs. As you likely don’t keep track of your IPs check if you see foreign IPs and maybe “strange” user-agents not matching you familiar devices in the log…
here is the short help to get all IP+usragents combination from you nextcloud.log using jq command. this should allow first check for unexpected connections and give you some starting point
# as json
jq '{time: .time, remoteIp: .remoteAddr, userAgent: .userAgent, url: .url}' /{path to your data directory}/nextcloud.log|jq --slurp 'unique_by(.remoteIp, .userAgent)'
# as csv
jq '{time: .time, remoteIp: .remoteAddr, userAgent: .userAgent, url: .url}' /{path to your data directory}/nextcloud.log|jq --slurp 'unique_by(.remoteIp, .userAgent)|.[] |flatten|@csv'