A multi-sig contract utilized with parity suffered a security flaw, that allowed funds to be taken. Full details: https://blog.parity.io/security-alert-high-2/
No Metal Internal Funds were taken via this security vulnerability, ETH or the MTL token. We are safe and took precautions before and after to increase security, including moving funds to cold storage from our modified multi-sig contract. We were in all hands on deck mode, regardless. We researched the blockchain, and we spent extra time double checking all values. We love the Ethereum community as a whole, and we hope this doesn't damage what everyone is trying to achieve.
You can view the audit of the Metal Token Contract here, which we've also taken extra care to get review on: https://blog.zeppelin.solutions/metal-token-audit-d7e4dbf17bcf
1,001 MTL from what appears to be a single user was taken. It is currently in "The Whitehat Hacker" Address (https://etherscan.io/address/0x1dba1131000664b884a1ba238464159892252d3a). If you had stored funds in a Parity Multi-sig wallet please check your funds. A summary on etherscan, if you view the address, details the plans of the whitehat group to return funds, but we won't be 100% certain until it happens.
We'd like to send our best wishes to anyone that suffered loss and hope that as many funds as possible will be returned. We want to reiterate public/private key cryptography is strong, and using cold storage and hardware wallets remains one of the safest ways to store funds. Multi-signature is not built in directly to Ethereum, and so it is still experimental. Some hardware wallets to consider are Trezor, Ledger, or Keepkey as a method for additional security for Ethereum and ERC20 coins. Bitcoin Multi-Sig has been stress tested and has long been a security option for the industry, as a built in function of the protocol, so this does not reflect on Bitcoins use of Multi-Sig.