Thank you for your quick response!
I looked at CVE-2021-22205: How to determine if a self-managed instance has been impacted - #17 by mmcintosh but I did not see anything regarding the ExifTool in my logs. I do however see null user_id and username entries for the /users/sign_in POST command in the production_json.log.
Does this still sound like we have been exploited by this?