Have they ever plugged into the same Mac (at different times)?
What IOS versions are they each running?
Are they using a third party password manager?
Are either or both developers or hackers?
I can’t think of anything else, other than perhaps they are pranking you?
There is a feature in Settings in iOS 17 (and maybe earlier) called AirDrop Passwords.
Maybe they were screwing around with this?
Is it possible one friend had access to the other’s phone and transferred them (by accident playing around or otherwise) and is lying now to protect himself?