Anyone malicious who has physical access to the device with which you connect to the application can perform all kinds of applications on your behalf. It's obviously an open secret to remember anyway.
When connecting to the app from a device that does not belong to you, always remember to log out at the appropriate time.
When you think that someone knows your password to access the application, consider changing it without waiting for a moment.
On the other hand, if you're sure that no one else knows your password but someone else is using your active session from another device, remember to instantly revoke your access tokens. Once all your access tokens are revoked, you and the smart guy will be forced to log in again and you will have been smarter than the latter.
You must always be wary of phishing emails that ask for your login credentials to the application. For example, if you do not ask for a password reset and you receive an email in this way, simply ignore it.