Gizmodo  did the original reporting on what I've mentioned, based on the work of Alan Mislove amongst others.
Facebook's official statement when 2FA numbers started being made available for other purposes was:
> “We outline the information we receive and use for ads in our data policy, and give people control over their ads experience including custom audiences, via their ad preferences,” said a spokesperson by email. “For more information about how to manage your preferences and the type of data we use to show people ads see this post.”
They saw no reason to deny it. Any information handed to Facebook may be used for any purpose, even if it is not apparent to the user that they will exploit data given under one function for another unrelated function.
As a sibling has pointed out with several sources - this isn't new behaviour for Facebook.