It's more likely the passphrase/crack was obtained by other means than bruteforcing.
A 21 character password with upper+lower case, numbers and popular punctuation has about 65^21 combinations.
Sure attackers can use many GPUs. Say you have 1 million devices that do 600 million SHA256 per second.
Say pbkdf2 with "only" 10,000 rounds of sha256.
65^21 x 10000 / (1 million x 600 million) seconds = 6.22206506 × 10^19 years. Sure in theory you'd probably might find it less than 50% of the way through but in practice you're going to use a different method.
Thus I doubt the problem was with pbkdf2 and I suspect this article is a distraction from the actual methods used/vulnerability exploited.
Unlikely to be brute forced
A 21 character password with upper+lower case, numbers and popular punctuation has about 65^21 combinations.
Sure attackers can use many GPUs. Say you have 1 million devices that do 600 million SHA256 per second.
Say pbkdf2 with "only" 10,000 rounds of sha256.
65^21 x 10000 / (1 million x 600 million) seconds = 6.22206506 × 10^19 years. Sure in theory you'd probably might find it less than 50% of the way through but in practice you're going to use a different method.
Thus I doubt the problem was with pbkdf2 and I suspect this article is a distraction from the actual methods used/vulnerability exploited.