A modified GraphQL query to fetch a user's address book entries led to a limited disclosure of user address book entries. The modified query resulted in a backend API request with undefined as a parameter. The response contained address lists of accounts with a username of undefined. We were not able to identify any horizontal privilege escalation vulnerabilities as a result of this report, however, the issue was triaged and resolved as a High severity finding.
Many thanks to @loxiran for reporting this issue.