Have you ever sent a password to anyone else through email or text? Perhaps a colleague trying to solve a problem on a system? Maybe to family or friends? I know I've had to send passwords (reluctantly) to my wife and kids at times. I hate doing that and usually change the password shortly thereafter. I think the idea of passwords lingering in email, or really any digital plaintext is a bad idea.
Note: It's easy for me to change passwords since I use Password Safe. I think everyone should use a Password Manager, as do others.
I ran across a piece this week that noted 10mm Android phones have malware that has rooted their operating system. For the most part this malware is designed to show ads and install apps. However, is it a reach to think that someone will use malware at some point to read text messages and email? After all, both of those functions are tightly built into iOS, Android, and Windows Phone at the OS level. If you've connected an account, it's possible that malware could access those applications.
From there, it's a short leap to being searching through messages for "password" and perhaps forwarding on information. While many databases aren't connected to the Internet, some are, and certainly others might be valuable enough credentials to sell. While security works well in layers, it's not perfect and determined hackers can likely crack some of those layers. Especially if you also have a VPN on your mobile device.
Mobile devices are becoming ubiquitous, for everyone. It's not just technical people that now have access to internal systems from mobile systems as everyone from low level marketing people to high level executives is becoming comfortable with accessing information regularly, from anywere, at any time. This means that our security is inherently weaker because we allow access.
There isn't a good solution to this, but certainly I think it behooves us to be very careful about what credentials we send in communications, as well as having ways to revoke access and issue new tokens. Education helps as well, but anyone can be taken in by some of the clever individuals out there intent on installing something on your device.
I also think that monitoring and regular audits of access is important, to ensure that when an unauthorized access takes place (and it likely will), that you can shut it down as quickly as possible. This security race is never going to be over, and we'll never prevent all attacks. However, we can learn to respond quickly.