One theoretical possibility is that your device was compromised at the time that you generated the original password (or even that the website you used was compromised). It had to have leaked from somewhere, we just don’t know where…
And did you ever log into your account (i.e., access your vault) using any Bitwarden app, browser extension, or web vault during the two years from the original account creation until you received the email notifications about the verification code and login from a new device?