That's very interesting behavior. In 8.0, we introduced a lock feature that defaults to 10 attempts before locking out an account.
What's the result of this query:
# dbc 'select id, name, login_attempts, is_enabled from users;'
My guess is that all accounts are at the limit of 10 and are disabled. The quick fix should be:
# dbc 'update users set is_enabled=1 and login_attempts=0;'
Also, make sure these users are not using scripts that login to AMP (to access APIs, reports, dashboard elements, etc). If they do, temporarily disable the scripts, double check that the scripts use the correct account passwords, and then re-enable.