Session stealing is actually a thing.It starts with someone asking if you, usually but not restricted to an admin or mod, can log on to their private server.
From there they have access to your IP and session ID unique to your game client.
They can then turn around and, using your session ID, fuck with our server as if it were you.
---
The science behind will follow but the best way to avoid this from happening is to only join servers that have some recognition to them. PMC and MC server lists have a forever updating list of servers with space for comments. Use this when deciding where to go but
do not join some random shmucks server because they want you to.--
Your IP is unique to your device and is given a mask if you are using a router, but still each is unique to your NIC.
Your session ID is no different. You are assigned an ID everytime you log in and these IDs are your credentials on servers. It is the difference between logging on our server as me or someone like Sdk90. He has no clearance where as I have way more.
By cloning the active session ID they have any access you do.