I certainly don’t think this is common, but it is worrisome.
My first question would be, do you make the URL to your Personal Meeting ID (PMI) available to other people via social media, web sites, or other easily accessible means? If so, and you only have a passcode for security, anyone with access to that URL can get into the room if you also have Waiting Room turned off, since the URL has the passcode embedded in it.
With the latest Zoom security measures, if you don’t have a passcode, you have to have Waiting Run turned on. If Waiting Room is on, nobody can get into the room, unless you let them in after you join. So that’s not the issue.
I would recommend changing the passcode on your PMI. This will invalidate any URL that already exists on the internet. Then, for extra security, turn Waiting Room on OR turn off the option to Join before host.