The code is written using a dynamically typed language with no security guarantees so stuff like this is inevitable. Are there projects that leverage static typing to allow the creation of provably secure contracts?
It was a phishing campaign. People clicked the wrong link and allowed a rogue smart contract to drain their wallets. Open sea has given an update on Twitter.