Is your Tautulli page accessible from the internet? If so, do you have it requiring authentication?
[edit: it is indeed publicly accessible without requiring any authentication.]
Because you can get your X-Plex-Token from it. And if you have this token, you can do almost anything that requires plex authentication (i.e. Plex username and password), like inviting shared users etc.
You need to follow the instructions of the Tautulli developer to secure your Tautulli installation, if you make it accessible from the internet: https://github.com/Tautulli/Tautulli-Wiki/wiki/Frequently-Asked-Questions#general-q9
(That nobody is knowing your domain or IP is no security at all [google “security by obscurity”]. There are thousands of search “spiders” patrolling the web, trying to find all kinds of servers without proper security measures.)
