In a refreshing change of pace, this week’s security news included little to no escalation of nuclear rhetoric. Let’s count that as a win! Among quite a few losses.

Digital financial services provider Enigma, for instance, lost its supporters almost $500,000 in cryptocurrency thanks to bad password habits. Domestic helper robots lost security cred by being hacked into tiny robotic Chucky dolls. The US government nearly lost a security-focused ranking of industries, coming in 16 out of 18. And we’re all about to lose our minds with tech anxieties, but at least we’re not alone.

Meanwhile, we took a look at how Microsoft has eased anxieties around PowerShell, a favorite hacker target. Instead of banning killer robots, maybe just try to regulate them. Stormfront Nazis are spatting with the “alt-right,” echoing some of the same white-supremacist infighting of the 60s. And the government has elevated US Cyber Command, because lord knows we need it now more than ever.

Of course, there’s more, which is why we’ve rounded up all the news we didn’t break or cover in depth this week. As usual, click on the headlines to read the full stories.

A Case of Facebook Knowing More About You Than You Do

Gizmodo has a great story about a case of Facebook’s People You May Know feature getting a little too personal. The social network served up a previously unknown relative to reporter Kashmir Hill—someone she had no connection with, online or otherwise—and declined to tell her how. There have been plenty of other examples of Facebook’s offputting clairvoyance, but Hill’s story gets into the deeper issues of not just what it knows, but how.

AccuWeather Sent Location Data to Advertisers Even When You Turned It Off

Oh, dear. This week, security researcher Will Strafach found that popular weather app AccuWeather sent your GPS coordinates, the name and MAC address of the Wi-Fi router you were on, and whether Bluetooth was activated to a data monetization company—even after you explicitly told AccuWeather not to access your location when you’re not using it. This is very bad! Accuweather gave an unconvincing apology that wasn’t quite apologetic before pulling the responsible SDK from the app. And then sent your location to another data broker. Maybe try Dark Sky instead?

US Arrests Chinese National in Connection With OPM Hack Malware

The feds arrested a man named Yu Pingan in connection with a malware called Sakula, which was used in the devastating hack of the Office of Personnel Management in 2014. The actually filing doesn’t name OPM, though, and Sakula was used to attack several US companies in the last few years, so it’s not clear that the two are connected. Still, it’s a good excuse to look back at our in-depth feature on how the OPM hack went down. So do that!

Android Apps With 100 Million Downloads Spread Malware

Google pulled 500 apps from the Google Play store this week, because an advertiser’s SDK was secretly sending user data back to Chinese servers. (Not a great week for advertising SDKs.) Security research firm Lookout spotted the invasive behavior, and while it didn’t name names of afflicted apps, it did note that they cumulative had 100 million downloads.

House Democrats Want to Keep the State Department Focused on the Cyber

In July, the US State Department exiled its Cyber Security branch to an administrative backwater, an odd move given the importance of cyberdiplomacy in 2017. So odd, in fact, that representative Debbie Dingell, a Democrat from Michigan, has sponsored an amendment to a spending bill that would prevent Secretary of State Rex Tillerson from doing so. It’s unclear what chance the amendment has to succeed, but at least someone’s raising a warning flag.