This might be too broad of a question but it is a gigantic security issue and I have no idea where to start debugging this.
I was testing some features on my dev server while someone else was logged in on the frontend as well. At one point after refreshing I saw that I was suddenly logged in as the other user's account, I did not even know which email they were using and had never logged in with that account before but I could now do everything from change his password to place orders with his account.
As far as I know I'm not doing anything weird with sessions, but the most likely place I could see this going wrong is a Helper class that is used in various places but that is only used for getting the current user's customer group ID.
It is a fairly standard and clean Magento 2.1.9 installation on a LAMP stack, we started developing two weeks ago so we have one custom module that we are working on right now and no third party modules.
Best Answer
I was able to replicate this issue by clicking a link with a "SID" (session ID) in it. If that session ID belonged to another customer and they were logged in, I could see their details.
Because the site I was working on was a single website/store (no multi-website/store) I could stop the issue by changing:
Store > Configuration > General > Web > Session Validation Settings > "Use SID on Storefront" == "No"
You may need to wipe your session store to ensure no customers are still sharing sessions.
I found this related question useful and it contains more info over there:
How to Remove SID (SESSION_ID) from URL in Magento 2