It's a cold wallet which means it should never be connected to the internet, so not entirely online, but yes - these are the wild wild west times of the internet. Imagine how easy it was to go into a bank shoot some people and get out with money, and doing it like, daily? monthly? Today it's not possible.
What supposedly happened is that malware was installed on every multisig key signer's device and then the hacker showed them all a fake transaction that looked legit but actually changed the smart contract of the cold wallet to give him access.
