Assuming the general public knows your last name based on your twitter account/handle/profile, then yes - someone could access your reservation and cancel or change it. They can't see your payment info, though they would have the flight times, fare paid(sometimes), seat assignments and other info relevant to the flight. They also may be able to see your email and phone number if it's in your record.
I don't think you're going to get far asking for compensation for this, but you could ask them to create a new PNR.
I'm curious to ask why you would communicate with them on the public Twitter feed instead of the DM? And I don't think you can request an upgrade with someone else's SWU. The holder of the SWU would have to make the request, which is fairly easy to do on aa.com or by them calling the phone agent - both of which are probably faster than doing it via Twitter.
For a bit more clarification it was a big multi city booking made on BA with 5 flights operated by AA. Having access to AA system would give them access from there to the BA reference and I know for a fact that within the OW alliance some reservations could be put into other airlines systems. For example I believe you can access a BA booking on Sri Lankan with a BA reference number. Sri Lankan allows access to passport data and everything else with no further verification. Once there they literally have everything. Even just on AA site you have enough info to call up and get thru security and modify/cancel flights as you wish with all charges billed to card on file.
So I believe it is fairly serious if a professional/bot did see the info
Why Twitter? I was asking a "in theory" question. I was asking whether something would work, not for them to do it. So felt no need for a DM as it was a standard question. When I asked them what booking they were talking about I was expecting the answer to be the date, the flight destination or perhaps a DM, not something confidential