The real Metamask web wallet is alright. I haven't heard or read anything that the codes were compromised/exploited. In most cases, these hacks happen because of the user's fault. Some of them are careful in not giving their seed phrase but careless in reading the Metamask pop up message before they click sign or confirm. In the latter's case, I've seen a message asking for authorization to spend your token.