Based on the information we've been provided with so far, it appears that this was an instance of the user's machine being compromised, leading to lncli commands directly executed on the root user (all channels abandoned)

This does not appear to be an lnd specific issue