Assuming the general public knows your last name based on your twitter account/handle/profile, then yes - someone could access your reservation and cancel or change it. They can't see your payment info, though they would have the flight times, fare paid(sometimes), seat assignments and other info relevant to the flight. They also may be able to see your email and phone number if it's in your record.

I just looked up a future reservation I have in a different browser where I don't log into my account. My Emergency contact name, phone number, trusted traveler number and passport number were all obscured with ****. So your passport number is not at risk of being stolen. However, my full name (including middle) and full AA number were there. Again - not a lot someone can do with that info to steal points.

I don't think you're going to get far asking for compensation for this, but you could ask them to create a new PNR. Then the risk of someone monkeying with your reservation will be mitigated.

I'm curious to ask why you would communicate with them on the public Twitter feed instead of the DM? And I don't think you can request an upgrade with someone else's SWU. The holder of the SWU would have to make the request, which is fairly easy to do on aa.com or by them calling the phone agent - both of which are probably faster than doing it via Twitter.