Whenever a mobile user accesses a website from their phone they share information about that device with the site.
It usually includes the web browser and the model of phone being used to allow the website to display its information in a way that suits your device.
However, O2's mobile network in the UK is also apparently including the phone number of some users in the data.
Malicious websites could use the information to target users with spam texts or scams.
Twitter user @lewispeckover set up a website where users can check if they maybe affected and many reported their numbers were in the HTTP header data.
Web journalist Rhys Griffith tweeted: "Not very impressed and will certainly think twice about renewing with @O2 in the future."
While Niall Rogers said: "Will be making a complaint to the Information Commissioner. Clear breach of Data protection act - not happy."
The Information Commissioner's Office said the issue reported was a breach of the Data Protection Act and privacy laws.
In a statement, data protection watchdog: "When people visit a website via their mobile phone they would not expect their number to be made available to that website.
"We will now speak to O2 to remind them of their data breach notification obligations, and to better understand what has happened, before we decide how to proceed."