Three (UK) don't do it, and it's worth also noting that @O2 has been in overdrive about trying to contain the twitter outrage. Good to see a large corp paying attention for once.

Have you examined all the Three headers to ensure that they are not sending a hashed version of the phone number?

The headers I can see (from my iPhone on three) are very minimal and don't include anything that look like they could be a hashed phone number.

None of the ones listed on the lew.io website seemed to include a phone number hash, but I only glanced at it quickly.

Three's headers contain my phone make and model as a wap profile header - nothing personal apart from that.

Just tested this on SGSII and can confirm the same.