It seems that address information is being stored in a cookie which isn't cleared when the user logs out.
Here's how to reproduce it:
1. Log in as user A and run through the checkout process up until the final confirmation page.
2. Log out as user A.
3. Log in as user B, add an item to the cart then click the checkout button. The shipping information form is pre-populated with user A's information rather than user B's.
This seems like a pretty nasty security issue especially for those using public computers to use the store.