Hi Lee, In which case, Twitter needs to tell users that. Currently, when resetting a password, Twitter makes no mention of OAuth. The original email I received says "revoke the access privileges of any third party applications that you do not recognize." But if the hacker has been using the same third part application as you - you'll be none the wiser. This is an education issue. Unfortunately until everyone completely understands this new way of thinking, it is a security hole. A user will think they have restored security to their account when, in fact, a malicious user could still be logged in. OAuth is a new way of thinking for most people. Twitter should make it as easy as possible to revoke all OAuth tokens. Perhaps it doesn't need to be done automatically with every password reset - but offering it as an option when you've told a user that their account is compromised would probably be a good idea. Thanks for the comment T