NordVPN was mainly criticized for how they handled the disclosure. They didn't admit to the server breach until a whistleblower revealed it publicly a year later.
> The breach was done by “exploiting a vulnerability of one of our server providers, which hadn’t been disclosed to us,” according to the company [NordVPN]’s statement.
Laying the blame on an undisclosed vulnerability is pretty ironic of them
