Rotating your account’s encryption key generates a new encryption key that is used to re-encrypt all vault data. You should consider rotating your encryption key if your account has been compromised such in a way that someone has obtained your encryption key.
This doesn’t see right to me. How could someone obtain the vault encryption key? I don’t think BW ever exposes that. Someone could get my master password, but I don’t see how they’d get any of the things derived from it.
If an attacker gets a copy of your vault, this will contain a copy of the account encryption key; this copy of the account encryption key is itself encrypted (using your master password as a key) before being stored with your vault data, but it must be present (otherwise the Bitwarden client apps would not be able to decrypt your vault contents). Thus,if the master password is known to the attacker, they can decipher the encrypted account encryption key.
The attacker could get a copy of your vault (with the account encryption key) from Bitwarden’s servers, if they know your master password and are able to defeat your 2FA (or if you do not use 2FA); then they can use the master password to decipher the account encryption key. Alternatively, if an attacker gets access to one of your devices on which you have a Bitwarden instance logged in, they can grab the locally cached copy of your encrypted vault (which contains the account encryption key); in this case, they could decipher the encrypted account encryption key either if they know your master password, or if they are able to brute-force guess your master password — but they would not need to defeat the 2FA.