The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed.
NordVPN, one of the most popular (and heavily advertised) VPN services out there at the moment, have confirmed a server had been accessed in March 2018.
The unauthorised party had access to information regarding what websites were being visited and when but unlikely to have been able to see what was on them due to traffic being encrypted.
Details around what usernames, passwords and activity or NordVPN users were not accessible.
Source: Why the NordVPN network is safe after a third-party provider breach | NordVPN