I'm not sure if this is proper reaction. NordVPN wasn't hacked. A hosting provider who provides servers for many VPN providers was hacked. That NordVPN discloses this means they are more trustworthy not less.
I'm dubious how much privacy VPN providers actually provide. It means placing unwarranted trust in the VPN provider. But also, as this incident shows, it means unwarranted trust in the the companies who provide servers to the VPN provider.
VPN providers, as a rule, don't own their own servers. Instead, they rent servers at various "hosting" providers around the world. These hosting providers have complete physical access to the box, and can secretly monitor everything on the box if they want using physical access.
There is a persistent rumor the NSA does exactly this sort of thing, that they routinely get secret physical access to servers at hosting sites around the world. On one hand, it's a conspiracy theory. On the other hand, if I were running the NSA, I'd make sure they did this.
Worse yet, many hosting providers have logical access to boxes. For example, they provide "terminal services" to the box that gets a root prompt, across a serial port. This mean cheaper support, as a customer can get access to the box even when they've screwed things up.
As a hosting customer, I regularly screw things up so bad that i have to call them up and ask them to restore the box for me. Remote serial, or better yet, remote KVM (keyboard, video, mouse, USB) means I can get to the box without contacting their support.
A VPN provider could setup their own data center where they physically control their boxes, but they could only do so for 1 or 2 locations. But they want servers in every major country, meaning they need these remote hosting services.
One reason for VPNs is privacy. Another reason is to escape per-country copyright restrictions. If you are a Japanese expat living in the United States and want to watch Japanese Netflix, then you need to VPN back to Japan to do so.
Thus, VPN companies don't have a single physically controlled data center, they instead of have servers spread around the world in lots of data centers, from a wide variety of different hosting companies, each with different security problems.
