If I was someone who would look into systems for less-than-usual purposes, I would start looking at those data-collection apis and processing pipeline, I bet there's a lot of shallow validations and lack of limits

It would be fun to see how many phone numbers would fb be happy to import as an example.

I mean, companies like Twitter have already been bitten (and fined!) for using phone numbers collected for 2FA purposes for advertising and monitoring purposes, which is more or less exactly your concern: https://arstechnica.com/tech-policy/2022/05/twitter-pays-150...