It comes from the membership database, joined up with the existing SharePoint user profiles. If none are showing up, it's likely there's a misconfiguration in your membership provider or possibly your SharePoint web app.
The membership configuration for logging in actually comes from a different place than what's used once you're logged in.
Logging in, it uses the membership provider defined in the SecurityTokenService.
Once the user is logged in, it uses the membership config from the web.config for the SharePoint web application itself (which also inherits the settings for the machine.config if your membership settings are defined there).
In Central Admin, check which membership provider is being used:
Manage Web applications -> select the web application -> Authentication Providers. The name of the membership provider defined there should match what's defined in the SecurityTokenService web.config, which should also match what's defined for your web