Breaking Twitter (authentication)

Yesterday we spent some time speculating on how phishing attacks like the one afflicting Twitter on Wednesday of this week are seeded. How are the original direct messages sent out that kick off the first stolen credentials, the next set of direct messages, and so on in the loop? We were hoping, but [...]