Developer wanted: walk me through how my smart contract test got hacked on mainnet

Hi! Title says it all. I had a contract I deployed with a tiny bit of ETH to mainnet. A few months later, another contract was able to call it and in one transaction transfer eth and selfdestruct (call - create - selfdestruct). It may sound self-explanatory given selfdestruct was in the original code, but I promise it's more complex than it sounds. Anyone well-versed in solidity (aka not me) will be able to give valuable insight. I need an explanation for a larger POC I am working on.