Seems that there were some massive security vulnerabilities that NordVPN found. [1] I'm very interested in seeing how this court case works out, as at this point I don't know who to believe.
Apparently its a torguard-vulnerability. To tag a vulnerability as 'trade secret',
and the fact that the disclosure process involved threats (allegedly) is a very bad reflection on both of them. Why should I trust either of them to handle security vulnerabilities responsibly in the future?
[1] https://nordvpn.com/blog/torguard-lawsuit/