The mobile carrier has allegedly been transparently sharing user phone numbers within the HTTP headers sent to websites, which usually show information on how web content is displayed on a user's device.
HTTP headers are not normally viewable by mobile users and are generally not logged by websites. But concerns have been raised that malicious operators could access the personal information for commercial or even criminal gain.
The issue, which was first uncovered on the website run by Lewis Peckover, is a major embarrassment for O2 and has already resulted in a torrent of criticism online.
One O2 user, named 'Ad Taylor', posted on O2's Twitter page: "Why are you giving my mobile number in HTTP headers? This is disgraceful! I'm off ASAP!"
Another user said: "Going to cancel my @o2 contract today because they have given my mobile number to third parties without my permission, surely a DPA breach."
In response to the criticism, O2 insisted that it does take security "seriously" and said that it is looking into the matter "urgently".
The company tweeted: "We're looking into this as a priority for all our customers, once we've got more info, we'll let everyone know."
This is not the first time that potential risks have been flagged up around mobile users' personal information being shared in HTTP headers.
In 2010, Computerworld reported a warning form a security researcher over how data like phone numbers was being disclosed on the web.
Collin Mulliner, a Berlin student and self-confessed hacker, warned that some mobile networks were reformatting web data on proxy servers, potentially leaving it open to cyber scams such phishing schemes.
Mulliner claimed to have found that data sent by large carriers, including Orange in the UK, could be used to identify individual mobile users by third parties.
It is unclear whether the latest HTTP information scandal extends beyond just O2 to Orange or other UK mobile carriers.
Thinkbroadband says that it has tested the issue on Vodafone's network and "found no trace of a similar problem".
The website believes that O2 has already started working on a fix, and suggests that the issue is down to a misconfiguration in O2's internal systems for identifying when users are trying to make changes to their account.
> Apple denies tracking iPhone users' every move