[api]

PSA: AES is not broken at all here. This is a break of a crap key derivation function that used MD5.

It shows that all components of a cryptosystem are important. Attacks seldom target things like actual ciphers unless it's one known to be weak like RC4 or single-DES. They target bad constructions (like this), implementation bugs, etc.

[spydum]

Actually the AES encryption they implemented is ALSO broken. The premium instances of AES-256, "512" and "1024" were totally broken and based on zero-content blocks, the security gets reduced to 128-bit in all scenarios. So yeah, AES itself not broken, but.. the places it implements AES-256, 512, and 1024, were broken by implementation.