TL;DR - scammers would search for every possible phone number, find out the owners' names & info, and make scam calls to them. FB tried to limit searches per IP, but scammers would switch IPs.
Seems like a safer version of this would have been to make the searcher supply more info than the phone number - eg, at least N characters of the person's name. And to tie such searches to an account. And to verify that the found people knew the searcher before allowing them to do more searches.
Seems like a safer version of this would have been to make the searcher supply more info than the phone number - eg, at least N characters of the person's name. And to tie such searches to an account. And to verify that the found people knew the searcher before allowing them to do more searches.