One of the most popular VPN provides, NordVPN has been in the news recently for being hacked. According to NordVPN no user data was compromised and the bad actor never had access to any user traffic. A bad actor was able to acquire a TLS key for a single server in Finland.
NordVPN is downplaying the attack at this time, however there have been data dumps indicating the attacker likely had access to a VPN CA private key, radius server secrets, web proxy private key, and an openvpn private key.
Since NordVPN’s entire business model is providing privacy and security to their customers it makes sense that they may want to downplay the access the bad actor had. Unfortunately many organizations tend to leave out important details when initially disclosing security breaches and then later are forced to amend their disclosures. We’ll have to wait and see if the data dumps that are in the wild can be validated and if NordVPN provides any additional details.
In the meantime it is good food for thought on how good the service your VPN provider is providing if and when they themselves become compromised. Security works in layers, and rerouting your traffic can potentially obscure your actual location, but it is not a complete security solution. Like most things in the cybersecurity it depends on your particular use case.
In-depth writeup here.