Has the user previously not logged in successfully? Is there a chance user is sharing the account and another person is making a mistake? Do you have Security Audit Log configured to see if you can identity what the user is doing? Is it all users, some users or a specific user?
What happens if they logout and then log back in?
Do these numbers match the USR02 numbers? And is there any chance someone has custom code that is directly updating USR02 which could be causing issues.