VPN providers, which are meant to be an answer to privacy concerns, are not invulnerable to hacking. Servers belonging to popular VPNs: NordVPN, TorGuard VPN and possibly VikingVPN, were attacked and, in the case of NordVPN, private keys for their web servers certificates were leaked.
Most information is available about the breach in NordVPN. The company disclosed that one of their servers in Finland was accessed without authorisation through "an insecure remote management system left by the datacenter provider" in March 2018. The stolen encryption keys, although now expired, were valid at the time of the breach and for 7 months after. They are responsible for protecting the user's traffic, meaning the purpose of using VPN on the compromised server was defeated.
NordVPN terminated the contract with the affected server provider and have began an internal audit, but failed to notify its users about it in a timely manner - and did so only after wider public has been informed through a Twitter post.