From Pwning a major New Zealand service provider:

 

When I typed in my phone number to make an account I noticed it make an outgoing HTTP request checking if I already had an account.

 

https://kiwiservices.example.com/users?filter=["phone":"64123456789"]

 

Yes, you just had the same thought as me. If I removed the filter, what would happen? Would it return user details unrelated to my account, or would it just error out?

 

Well it actually turned out, neither. The request timed out after 30 seconds with no data returned. However this is still very odd as the request should have either given an error code or some kind of response.

 

My next thought was that what if the request was timing out because it was trying to do a computationally heavy task such as gathering multiple users details and send it to me.

 

After some trial and error I managed to finally make the request work.

 

https://kiwiservices.example.com/users?range=[1,1] // Requests the first user

 

This returned a list of user[s] containing the following data (censored) for what seemed to be a testing account...

 

My small group of peers have an idea of which organisation this could be related to. I guess we won't have confirmation if they don't disclose it.