Bulgarian blogger and digital rights activist Bogomil Shopov

It’s no secret that Facebook treats your personal data as a commodity. But when that data ends up on the open market, you may be surprised at the price it fetches: in this case, less than half a thousandth of a penny.

That’s the rate paid by Bogomil Shopov, a Bulgarian blogger and digital rights activist, for a collection of 1.1 million Facebook names, user IDs, and emails posted to the social marketing site Gigbucks earlier this month for a grand total of five dollars. “I just bought more than 1 million… Facebook data entries,” Shopov wrote on his blog Tuesday. “OMG!”

When I reached Shopov on the phone, he said that he had verified several names and email addresses of his own friends among the list. And he says the data wasn’t merely scraped from public profiles–he checked several email addresses to confirm that they weren’t publicly displayed on the users’ pages.

According to the seller of the information, a Gigbucks user with the handle “mertem,” the data was collected from Facebook applications.”The information in this list has been collected through our Facebook apps and consists only of active Facebook users, mostly from the US, Canada, UK and Europe,” reads the Gigbucks post. “Whether you are offering a Facebook, Twitter, social media related or otherwise a general product or service, this list has a great potential for you.”

Facebook sent me a statement to say it’s looking into the apparent breach of its users’ data, which could lead to spam and phishing attacks.”We have dedicated security engineers and teams that look into and take aggressive action on reports like those raised here. Since this is ongoing, we are not in a position to discuss the investigation at this time,” writes a company spokesperson. I’ll update this post when I hear an update from the company.

Meanwhile, Facebook’s investigation seems to have included contacting Shopov, who says the company asked him to send them the data, delete it, and remove the post from his blog mentioning his purchase. (Instead, he wrote a another blog post about that phone call.)

Shopov, who in 2010 helped to found Bulgaria’s privacy- and digital civil liberties-focused Pirate Party, says he hopes the incident will call attention to Facebook’s insecurity, particularly when users sign up to share data with third-party apps. “Anyone can grab your data,” says Shopov. “Users click ‘I agree’ or ‘I accept,” and their information goes off to the application developer, who can do whatever they want with it.”

Related on Forbes: