What a week for Facebook. The news blitz began over the weekend, as the company responded to multiple recent controversies, from livestreaming to disappearing blog posts. Then on Wednesday, security researchers at UpGuard found that two different third-party apps left more than 540 million Facebook records unprotected in the cloud. On Friday, we reported that Facebook had been letting cybercrime groups operate in plain sight. It never ends.

Speaking of entrenched problems: The security nightmare that is President Trump’s Mar-a-Lago resort was back in the news this week after the arrest of a Chinese woman who snuck onto the property with, among other things, a thumb drive containing malware. We broke down all the many reasons why the “Winter White House” is, as one expert says, “an attacker's dream and a physical security nightmare."

We profiled ethical hacker Eva Galperin, who’s been on a mission to eradicate consumer spyware used by stalkers and domestic abusers. Jake Laperruque, senior counsel for the Constitution Project at the Project on Government Oversight, argued in an op-ed that it’s time for the government to end the NSA’s metadata collection program. And Right to Repair advocate Nathan Proctor argued that the movement has now become a national security issue.

Oh, and if you’re filing your taxes in the coming days: First of all, get on it, slacker! And secondly, beware of phishing scams.

Of course, there was more. Each week we round up all the news WIRED didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.

Some Facebook users were recently asked to provide the company with the password for the email they used to sign up with the service, according to Kevin Poulson from the Daily Beast, who was investigating a tip from Twitter. This comes only two weeks after Facebook admitted that it had stored millions of users’ Facebook, Facebook Lite, and Instagram passwords insecurely in plaintext on internal servers, where anyone in the company could access them. After Poulson published his story, Facebook told the Daily Beast it would stop asking for email passwords. While the company claims it never stored the passwords, one security expert called the whole thing “beyond sketchy.”

Speaking of sketchiness, when the Barker family checked into their vacation Airbnb in Ireland, the first thing they did was scan the Wi-Fi network for any connections. You know, as one does. What they found was a camera in the living room live-streaming their every move. The Barkers’ story follows a report last week in The Atlantic about other Airbnb guests who claim the company doesn’t take these kinds of incidents seriously enough. The Barkers told CNN that when they contacted Airbnb, the company didn’t appear to understand why they felt uncomfortable staying in the house and told them that because they were canceling the booking within 14 days, they’d be charged for their stay. CNN reports that Airbnb permanently banned the host only after the family posted about the incident on Facebook and got their story reported on by the press.

Sorry, fans of family-style Americanized Italian dining! Earl Enterprises, which owns the chain eatery known for heaping plates of pasta, among other restaurant chains, confirmed that it was hit by a security breach that exposed more than 2 million customer credit cards. According to KrebsOnSecurity, which alerted the company to the breach in February, hackers installed malware on restaurant point-of-sale credit card machines to steal financial information that they then sold. Other restaurants hit? Earl of Sandwich, Mixology, Tequila Taqueria, something called Chicken Guy! (with the exclamation point), and classy ‘90s throwback Planet Hollywood.

Oof. You were trying to be a good citizen and contact your elected officials, as the activists are always telling you to do! You got an email, maybe, or saw a link on Facebook, and it took you to a form where you could send a prewritten message to politicians, urging them to vote a certain way or care about poor people for once, or whatever your cause of the day was. And that’s great! Evidence shows that contacting your legislators can actually work. But if you happened to use a form through a Washington, DC, group called VoterVoice, your email address and other personal data may have been exposed on an insecure server. TechCrunch reports that so far the company appears to have done nothing to lock down the server and protect the info stored there.

More Great WIRED Stories