Security researcher Martin Vigo studied the password reset methods for popular websites and found that they revealed between two and five digits. Vigo found that using resources from the North American Numbering Plan Administrator and the National Pooling Administrator (NANPA) alone, an adversary can zero-in on the correct victim number. The method should work faster if the victim is registered to a service like PayPal, which reveals the first and four digits during password reset process, Vigo said. PayPal said that everything works as designed and took no action, despite revealing digits.
Source: https://www.bleepingcomputer.com/news/security/phone-numbers-exposed-by-inconsistent-password-reset-processes/