NordVPN was hacked in a fairly bad way recently.
According to the VPN provider, one of their servers was accessed by an unauthorized user, who took advantage of a security vulnerability in remote management software left on the server by the hosting provider.
This just goes to show that even if the stuff you install on your server is secure and audited, the stuff that it comes with can’t be trusted. This is the main argument for the minimum necessary packages aspect of hardening.
NordVPN claims that no user credentials were obtained, nor were any logs. (they reiterated that they do not keep logs)
NordVPN claims it found out about the breach “a few months ago” but didn’t disclose it until they were all systems were secure.