"Logged in using .htaccess" isn't really clear. .htaccess can be used to password protect areas, to declare the authentication type, groups, and .htpasswd filepath, but it's a stretch to say that people "log in using .htaccess" -- If anything, they log in using mod_auth. So, it's not clear what file you are looking at to see the usernames and this blank username.

I would be concerned that your authentication set-up is secure, and I'd check .htpasswd for a blank username entry. But it's also possible that the authentication is set up to allow users within your LAN or from specific IP addresses or ranges to access the server without a username or password -- If you recognize the IP addresses, then see Apache mod_auth, mod_access, and the 'satisfy any' directive in Apache core to confirm.

I certainly would not let this go without finding out where these requests are coming from.

Jim