I'm not totally sure I'm not a Laravel expert I just use it as a backend api so I believe I exposing the entire Laravel folder instead just the public. And yes is embarrassing haha.
I was curious too how this could happen, since the .env wouldn't normally be in the public folder.
Laravel is a great framework, check out Laracasts.com and forge.laravel.com, it's a deployment tool that will spin up a VPS on AWS, Digital Ocean, etc. with the proper configuration.