For example, they store the message database on the shared mass storage partition (a.k.a. SD card), where it can be read by all installed applications.
Wasn't it also true that the password for every account was a simple function of the phone number? Then they changed it, only to base in the IMEI instead.
I didn't look at it again so I don't know if they fixed it for real in the end.