Oscar: I know about it, you know about it - but is that really enough? If spam and phishing can spread widely because people aren't as well up on using Twitter as you or me, then that's a problem - because for a service that gets widespread use, there are always going to be large numbers of not very IT savvy people using it. Why hasn't Twitter taken the simple step of providing a tick box option when you change your password to also revoke or not the OAuth permissions? I guess we may argue over what the default on that should be 🙂 But expect people to understand that changing their password isn't enough is just asking for trouble.