The company claimed that changes made during routine maintenance meant that from 10 to 25 January 2012 customers' mobile numbers would have been logged by websites visited by O2 subscribers using 3G or WAP.
A storm of concern erupted on Twitter after by O2 customer and web systems administrator Lewis Peckover alerted others to the security flaw he discovered.
Security experts said the breach meant that website owners could potentially collect the mobile numbers and use them, without consent, for spam or phishing.
After stalling most of the day by promising to look into the matter, O2 finally said: “We investigated, identified and fixed it this afternoon. We would like to apologize for the concern we have caused."
O2 said the problem was a temporary issue, but said that it does add mobile numbers to header information sent to “trusted partners", describing it as “standard industry practice” in a blog post.
The mobile operator said this was needed to manage "age verification, premium content billing, such as for downloads, and O2's own services".
However, a technical glitch resulted in websites other than O2’s usual trusted partners receiving the information.
The company also said it had contacted the UK Information Commissioner’s Office (ICO) and telecoms regulator Ofcom, according to the BBC.
The ICO said people visiting a website from a mobile phone would not expect their number to be made available to that website.
"We will now speak to O2 to remind it of its data breach notification obligations, and to better understand what has happened, before we decide how to proceed,” the ICO said.
This story was first published by Computer Weekly