Yep, I am more than happy to prove to Qantas this was the case as well.
I could definitely see
- persons full name
- persons status/points balance/sc credits
- boarding passes for todays flights
- manage booking page for said flight above
- contact details added to that booking (phone/email)
- APIS details for booking above including date of birth and passport details (because this is attached to the booking pnr)
It’s concerning because someone with malicious intents could have even cancelled bookings given they had enough info to do so.
