"Security is our top most priority, we're investigating this at the moment & will come back with more info as soon as we can."
The Next Web confirmed that Orange, T-Mobile and Vodafone numbers are unaffected by the issue, but GiffGaff and Tesco Mobile (both MVNOs that operate on the same network) do. TNW's sources say it's most likely an internal testing setup, while Mr. Peckover suggests it's because the network transparently proxies HTTP traffic, using the number as a UID.
Update: We received confirmation from O2, who said that it was "investigating with internal teams and it's our top priority." Slashgear and Think Broadband were unable to replicate the problem, but in our tests (pictured) it was sharing our data with the site.
Update 2: Consumer magazine Which? contacted UK privacy watchdog, the Information Commissioner's Office which offered the following:
"Keeping people's personal information secure is a fundamental principle that sits at the heart of the Data Protection Act and the Privacy and Electronic Communications Regulations. When people visit a website via their mobile phone they would not expect their number to be made available to that website.
We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."
We'll let you draw your own conclusions from that one, but it's not shaping up to be a good day for the company (or its users).
Update 3: Our tests have stopped working now, as it looks like the network is hurriedly trying to close the hole, but we've had no official word that it's over just yet.
Update 4: O2 has issued a full statement and Q&A which we've embedded after the jump. Long story short, it's fixed the issue -- caused by accidental routine maintenance. 3G / WAP users will have shared your number with any site you visited since January 10th. The network has promised it will co-operate fully with the ICO and has reported itself to Ofcom.