1. oAuth could have allowed me to provide access for 3rd party systems in a case by case basis - not providing the credentials that could be stored and re-used.
2. oAuth would allow me to disable access immediately for a 3rd party site.
3. oAuth, as used in GMail, could be used to restrict the levels of access you permit of 3rd party applications. Therefore i may allow a site to read my contacts (which most do) but not sent replies or DM’s on my behalf (in fact this is what GMail can allow).
... I totally get that anyone can @ you on twitter - but i would be unlikely to click a random link. It it came from a friend - especially DM I am MUCH more likely to click it.
Only question i have is why did the phishing sites not use tinyURL or something to mask the link?