... Or even against MD5, IIRC, which is why you are still kind of able to use HMAC-MD5. You probably still shouldn’t, but I don’t know of any other symmetric authenticator that is as short and requires neither vast tables of constants nor 64-bit operations for an implementation. (For all the recent lightweight crypto work, the only cipher I can reasonably see myself implementing on an oldish ATMega without disgust is the NSA’s Speck, with all the accompanying caveats, and there isn’t a single hash of a comparable complexity at all.)
I never wrote shattered is a preimage attack. What I wrote is exactly correct. There are multiple preimage attacks, neither of which I referenced.
A first preimage is where one searches for h(m1)=h(m2). A second preimage attack is where, given m1, find m2 such that h(m1)=h(m2).
It's best not to give the incorrect impression when discussing something exact. As with any crypto, the construction is either valid or not, but it is actually the use of the construction that determines real world correctness.
For example, if SHA-1 is used over input where there is known data in specific positions, that is quite different to SHA-1 over unknown data. In pratice, the first is often the case.