It’s been an insane week—in the security world and beyond. As Brett Kavanaugh's Supreme Court nomination hearings captivated the nation, the information war to sway public opinion raged, mirroring a real warzone.

In case you didn’t have time to follow everything else that happened, here’s a quick rundown. Though technically the news of Facebook’s massive breach broke last Friday, the repercussions were still being felt and figured out this week. But as the enormity of that internet-wide disaster settled in, an even more troubling report alleged that China-backed hackers had infiltrated the supply chain of major American tech companies, implanting spy chips into servers. We reported why such an unprecedented attack is a “scary big deal,” and one for which there is no easy fix.

You can distract yourself from the geopolitical implications of that hack by reading about why it’s legal for cops in the US to force you to unlock your iPhone with your face. Malware has a new way to hide on your Mac. A simple bug hit Cox Communications customers. A startup breach exposed billions of data points. Russian spies infiltrated hotel Wi-Fi to hack their victims up close.

In good news, old Androids got a security upgrade. And in weird news, FEMA sent out the first “presidential” text alert, which some people tried to avoid, and others didn’t receive.

And there's more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

Sometimes, a good thing happens. We know, it’s hard to believe. We almost didn’t believe it ourselves! But a new law in California is going to ban any devices sold in the state from being sold with insecure default passwords. That doesn’t maybe sound like a big deal, but it actually is. Remember that massive Mirai botnet that took over the internet a few years ago? It worked by hacking millions of insecure Internet of Things devices, and then combining their power—kind of like a zombie horde—to become an internet-destabilizing super-botnet. It was only able to do that because so many IoT devices have bad default passwords. People often don’t change those passwords, leaving those devices as sitting ducks for enterprising hackers. Now, any device that wants to be sold in the massive market that is California will need to come up with something better than “Password123.”

Back in February, special counsel Robert Mueller indicted 13 Russian citizens and three Russian businesses for their hacking of the 2016 election. Since then, one of those businesses has mounted a spirited defense in US court—a surprising turn of events since all the named defendants were safely in Russia and never needed to actually face any court proceedings in the US. Now, some legal experts believe the Russian company is engaging in the US judicial system in order to gather intelligence and undermine Mueller’s Russia investigation, as ABC News reports. The concern is that Russia may be hoping to get information through the US legal system’s disclosure requirements during the discovery phase of the case.

Look, better late than never. Yes, your Twitter account has had two-factor turned on for years, and arguably two-factor isn’t even the cutting-edge of security best practices anymore. But on Wednesday of this week, the chief technologist for the Center for Democracy and Technology noticed that this week the government finally rolled out two-factor for .gov websites. Most importantly, it will be mandated for everyone who uses .gov domains or accounts.

More Great WIRED Stories