It says the hackers had access to WhatsApp servers, so they can tell who is talking to whom, and depending on how WhatsApp does encryption they may have been able to decrypt messages. I say may, because WhatsApp had pitched itself as an encrypted messaging system, though personally I’d bet they could because it’s easy to claim your service is encrypted and yet still design backdoors for yourself.
The article is garbling the WhatsApp allegations: WhatsApp says the hackers abused WhatsApp servers to hack phones, not that the servers had a flaw. To send the malicious payloads to the victims, the hackers sent messages that flowed over WhatsApp's networks, which largely what they're hanging the lawsuit on.
