Mostly it's your record locator and frequent flier number, but with that, an attacker can access the ticket record, see your future flights, your email address, and the details of the emergency contacts you'd added to the reservation.
With that info, you can cancel future flights and also get a lot of the info needed to do a PIN or password reset and take control of your account with the airline. Some airlines — like United — treat your frequent flier number itself as a secret authentication token, and this data can be read out of the barcode on the boarding-card.
"Besides his name, frequent flyer number and other [personally identifiable information], I was able to get his record locator (a.k.a. "record key" for the Lufthansa flight he was taking that day," Cory said. "I then proceeded to Lufthansa's website and using his last name (which was encoded in the barcode) and the record locator was able to get access to his entire account. Not only could I see this one flight, but I could see ANY future flights that were booked to his frequent flyer number from the Star Alliance."
The access granted by Lufthansa's site also included his friend's phone number, and the name of the person who booked the flight. More worrisome, Cory now had the ability to view all future flights tied to that frequent flyer account, change seats for the ticketed passengers, and even cancel any future flights.
What's in a Boarding Pass Barcode? A Lot
[Brian Krebs/Krebs on Security]
