[jlgaddis]

It's been a looong time ago but I remember when some instant messenger application was found to be performing authentication client side -- i.e. "Hey server, I'm $user. I promise!" and you were in.

I want to say it was Yahoo Messenger but my memory could very well be lying to me.

[Matt3o12_]

WhatsApp used to use your devices MAC address for authentication. A quick screenshot of the vicitim's settings page would be enough to send and receive messages in their name. Since whatsapp does not store messages after they have been delivered, the victim would never see the messages sent from his whatsapp number (except when looking at the recipients phone). You could, however, realize that your account has been hacked when you notice that some messages were not arriving (they would arrive at the attacker's client only and whatsapp will not transmit already recived message again).

The only fix was to buy a new phone and hope nobody will make a screenshot of your settings page again (or spoofe your MAC address which would not always work).