Well that’s the point - I don’t know IF the system was hacked or not. Logfile auth.log shows just one failed login attempt, which was my own when I entered the wrong ssh password.
The system is not accessible by SSH from the web, only from LAN.
The passwords are all long and randomly generated by my password manager, so brute force seems unlikely.
Fail2ban is active on the system (fail2ban.log shows just one external IP being logged) and the system automatically updates as per the default settings of NextcloudPi.
Granted - ufw was not active, but only ports 80 and 443 are forwarded from the router to the system, nothing else.
With all above, I suspect software or hardware failure is more likely than an actual hack.
So the question remains - which (offline) log files could shed more light on what happened?