Black Friday has come and gone, but you should still keep a close eye out for scammers, who see the holiday sales season as the most wonderful time of the year. And if you think they're above that sort of low blow, look no further than whoever it was that hacked the Make-A-Wish site to illicitly mine cryptocurrency. Yes, the Make-A-Wish site.

Russia's elite hackers, meanwhile, have resurfaced, apparently with a new phishing trick in tow. Or rather, an old trick that they've brought back. And we also took a look at the DOD's new nonlethal arsenal, which ranges from lasers to "mucous gunk."

Also, remember that notorious Rowhammer attack? It just got much worse. Happy holidays!

A number of Amazon customers this week received an email letting them know that the company "inadvertently disclosed" their name and email address due to a "technical error." If that sounds vague, well, it is! In fact, the company's opacity here may be just as alarming as the exposure itself, especially given that this is the second time this fall that Amazon has played loose with customer emails. The people deserve to know!

Those of you on dystopia watch, which frankly should be everyone, please read this jarring account of how the provider of a CPAP machine—which helps with sleep apnea—not only monitors patient data, but shares it with insurance companies, who in turn deny payments to patients who don't use the device. This appears to be not only legal, but increasingly standard practice. Read this ProPublica story. It'll make you mad.

The promise of a passwordless future has been a long, long, long time coming. And in many ways it still is. But Microsoft took an important step this week, finally switching on FIDO2 compliance, which means that you can log into Microsoft accounts on the Edge browser with just a Yubikey or biometric authentication. Fun times. Just don't misplace your hardware token.

This can't be an easy week for the US Postal Service, having to keep up with all those Black Friday two-day shipping orders. As an additional downer, the USPS website had a security weakness on its website that allowed anyone with a usps.com account to view the details of, well, anyone else with a usps.com account. They've finally fixed the problem, but that doesn't change the fact that personal information like names, addresses, phone numbers, email addresses, and more were all readily accessible for anyone who knew where to look.

More Great WIRED Stories