🔪Different Kinds of Attacks

'Hacks' are not very common - these types of attacks are.

Exploit Attacks

If you are using an old version of a browser, or you are using an old version of MetaMask, it IS POSSIBLE for a malicious website to use some trickery to get to your private key, even if you don't sign anything. This is highly unlikely, but you should always keep your browser up to date.

It is also possible for the website to use browser exploits to also read the encrypted wallet file that MetaMask uses. If the attacker knows your passwords, and you reused them for the MetaMask wallet, then they can steal it that way too.

There are some other common attacks, but nearly all of them are dependent on zero day exploits, of which there are many. Update Chrome when it asks you to. If you are on Windows, there are a number of other attack vectors. For instance, a completely different browser plugin could be compromised and lead to the same thing.

Phishing Attacks

These types of attacks are hard, and it's a moving target. It's way easier to just trick people into giving up their keys: malicious links in emails that get you to download something - malicious links in emails that get you to sign something - malicious "tech support" that convinces you to run Team Viewer or something else and then they just take it - etc.

There's a big long list and the hardware wallet protects against most of it (but not all) the best thing that you can do is get educated.