NordVPN terminated its contract with a Finnish data center provider following a breach last year.
After the breach was revealed in an awkward Twitter spat on October 20, the company has only now publicly admitted it was the victim of an attack.
NordVPN boasted: "Ain't no hacker can steal your online life. (If you use VPN)."
In response, hacker group KekSec revealed that another group had hacked into NordVPN and attached links as proof.
NordVPN has since deleted its tweets but the company says it has known about the hack for months but didn't go public with the information.
A spokesperson said in a statement on its website: “We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues.
“This couldn’t be done quickly due to the huge number of servers and the complexity of our infrastructure.”
The data center provider that operates the allegedly compromised facility is Finland's Oy Creanova Hosting Solutions Ltd, Bloomberg reports.
Hackers used a poorly secured remote-management system, built into an unidentified server at Creanova's Helsinki data center. The attack occurred in March via an insecure remote management system and an expired private key (TLS Key) was taken.
Because the TLS Key was stolen, there is a fear it could be used to create spoof NordVPN servers and harvest personal information from oncoming traffic.
NordVPN claims Creanova noticed it but did not tell Nord - instead, its techs found out about an open account and unauthorized use of its server "a few months ago" - prompting a network-wide audit across its thousands of servers.
Nord blames Creanova for sloppy security and says it was unaware of multiple accounts tied to the remote-management system which may have led to unauthorized access. However, the data center provider says Nord is just trying to shift responsibility.
Update: A spokesperson from Creanova said: "The allegations that an iLO [Integrated Lights-Out management system] had more than one default account created by our staff are not substantiated.
"Our staff never creates additional accounts. The hacker who accessed the iLO created those fake accounts. After this incident, our staff started checking the hacked server iLO and saw the fake accounts and removed them.
"NordVPN knew about that iLO accounts but didn't request us to shut down the port."
The company's terms and conditions page states: "Oy Crea Nova Hosting Solutions LTD cannot maintain the server if the customer has sole administrator rights. The customer hence shall have sole responsibility for the content and security of the server. The customer herewith enters into the obligation to set up and maintain his/her servers in such a way that the security, integrity and availability of the networks, other servers, as well as software and data of third parties or of Oy Crea Nova Hosting Solutions LTD, are not placed at risk.
"It shall be his/her obligation to install security software, to regularly obtain information on security loopholes which become known and to close known security loopholes. If Oy Crea Nova Hosting Solutions LTD provides security or maintenance programs, this shall not release the customer from his/her obligation."
NordVPN has 12 million users worldwide but the company estimates only 50 to 200 customers used the breached server.
It says it is not downplaying the security threat.
In the statement, it said it had learned some harsh lessons: "Even though only 1 of more than 3,000 servers we had at the time was affected, we are not trying to undermine the severity of the issue.
"We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers.
"We are taking all the necessary means to enhance our security."
This includes a security audit and an independent external audit on its infrastructure next year.