The malicious messages spread very quickly, exploiting the vulnerability without the consent of users, likely because the onmouseover function can be used to automatically fill out a form for the user that posts a message to all followers. Users of third-party Twitter applications were not affected by the flaw because they don't use the onmouseover function; it appears that only users surfing the newly updated web version of Twitter were affected, but this number is still estimated to be in the thousands.
The Twitter Status blog today warned users and kept them updated. "We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit," the posting explained. "We expect the patch to be fully rolled out shortly and will update again when it is. Update (6:50 PDT, 13:50 UTC): The exploit is fully patched." At the time of writing, the message had been retweeted over 5,000 times.