They go to a shady website telling them to open a terminal and entering `sudo rm -fr /`, and you got unlucky that they entered the same password they used when logging in.

But! It's your fault! They shouldn't be able to sudo!

But that's the point. If they couldn't sudo, they could do something else as disastrous. It is difficult to secure a Linux system if the user is allowed to log in. If I needed to give someone access, I just would give him a freshly installed Linux virtual system, and if he deleted something important, it's his problem, not mine.