@Vic might be able to help with more technical details but I believe it was the Auth code/script/whatever that allows Alby to control other wallets that was accidentally exposed. It was published as the lnaddress or something like that. Seems there was no validation check on the client side.
It was originally believed that only the Zeus wallet was at risk but it was later found afyer the wallet was drained that the stacker.news account (and all other linked accounts) were apparently also at risk.