Originally Posted by SP0

There was a security issue on the website for a number of days - I notified BA but held back from posting here until it was fixed.

On several different browsers, and regardless of whether cookies were deleted, browsers were closed, etc, pressing "Log out" generated what looked like a logged-out session, ie "Log in" was now displayed. But it was not actually logged out.
On Safari, pressing "Log in" sent you back into your account with no password prompt or other verification. On Chrome it was worse: it replaced the header with "Log in" but left the rest of the screen still displaying account data, and any link would get you right back into the account.

This is a risk for anyone sharing a computer. It also made it impossible to log out from your account and log in on a different account (eg family member).

As others have noted here previously, there is no published address to report security issues to BA, so it took a while to get it through the regular contact form triage. But the issue appears now resolved.
Nevertheless from now on, as BA does have a habit of re-introducing bugs, I'm going to click on "Log in" after each session to be sure I am actually logged out.

--- Edited to add:

Actually I don't think this is fully fixed. I found another way to get back into a logged in account (which I won't report here). I also found that when I updated my partner's passport details, I get a message "You are already logged in with a different account. You will need to log out and log in again to access a different scheme". ("Scheme"? eh?? No one proof-read or user-tested that message I guess.). That presents a Log Out button which doesn't change anything, so a second attempt ends up in the same place again. Aargh.