Stay's main beef with the changes is that no one was notified of these changes (to verify_credentials(), incidentally). Stay further reported that an email response from a Twitter rep stated that the company "assumed (apparently incorrectly) that people were only using this method occasionally."
The change in the API limits the number of username/password verifications to 15 per hour. According to the afore-linked developer wiki, "Because this method can be a vector for a brute force dictionary attack to determine a user's password, it is limited to 15 requests per 60 minute period (starting from your first request)." The wiki language was changed June 29.
Granted, Twitter has had a bit of a media tsunami on its hands lately, but we still must note that no official announcement has been made about the API changes. This seems to be the case with other API changes, as well. For example, earlier this month, API request limits were increased from 100 to 150, as several blogs and end users noted at that time. No official announcement was made; the information was confirmed, as with this most recent change, through an update to the API wiki.
Although the company is usually tight-lipped, do you think developers whose apps and livelihoods rely on the service and the API deserve a dedicated blog? Google Code is a great resource that acknowledges the ecosystem of apps built around that company's APIs.
Even if Twitter can't afford to support developers with resources of a Googlesque stature, we do tend to feel that developers who rely on the API deserve advance warning of certain changes, even ones the company might consider minor. As it stands, app developers are subjected to a string of pleasant surprises followed by sucker punches.