MyPillow, the US-based bedding company founded by Mike Lindell, has been named on the Play ransomware gang's dark-web leak site as an alleged victim. The listing first surfaced Monday, with attackers threatening to publish stolen data by Friday unless a ransom is paid. The intrusion was first reported by The Register, citing details corroborated by threat-intel firm FalconFeeds.
What Happened
Play ransomware operators added MyPillow to their name-and-shame extortion portal earlier this week. According to the dark-web post reviewed by The Register, the gang gave the company until Friday to meet ransom demands before releasing the allegedly exfiltrated data. MyPillow has not publicly responded to inquiries about the incident, and the size of the stolen dataset has not been disclosed by either party. Play operates a double-extortion model, encrypting victim environments while simultaneously stealing data to pressure payment.
What Was Taken
The criminals claim to hold a broad set of sensitive corporate and personal records. Per the leak-site post, the haul allegedly includes private and personal confidential data, client documents, budget files, payroll records, government-issued IDs, tax filings, and finance information. While Play did not specify gigabyte volumes, the data categories described would expose both employees and business counterparties to fraud, identity theft, and follow-on social engineering. Payroll and tax filings in particular often contain Social Security numbers, bank account details, and dependent information.
Why It Matters
Play is no fringe operation. The FBI assessed in May 2025 that Play affiliates had compromised roughly 900 organizations and ranked the variant among the top five threats to critical infrastructure. Prior victims include Swiss IT supplier Xplain, where Play exfiltrated about 65,000 Swiss government files in 2023, and American semiconductor manufacturer Microchip Technology, whose 2024 attack cost the firm $21.4 million in incident-related expenses. North Korean state-aligned operators have also been observed deploying Play, blurring the line between criminal and state-sponsored use. A high-profile, politically charged victim like MyPillow raises the likelihood of opportunistic leaks, doxxing, and targeted harassment of named individuals in the dataset.
The Attack Technique
Play has not publicly disclosed the initial access vector used against MyPillow, and the company has not confirmed the intrusion. Historically, Play affiliates have favored exploitation of internet-facing infrastructure, including FortiOS and Microsoft Exchange vulnerabilities, exposed RDP services, and valid account abuse. Cisco Talos incident responders have previously identified Play as one of the crews deploying so-called EDR killers, kernel-level tooling that disables endpoint detection and response agents before encryption begins. The gang typically conducts hands-on-keyboard reconnaissance, escalates privileges, and stages exfiltration before detonating ransomware across the environment.
What Organizations Should Do
- Patch and harden internet-facing edge devices, prioritizing Fortinet, Microsoft Exchange, and any remote access gateways with known Play-favored CVEs.
- Enforce phishing-resistant multi-factor authentication on all VPN, RDP, and administrative access paths, and disable legacy authentication.
- Hunt for EDR-killer artifacts, including unauthorized signed-driver loads and tampering with security service processes, using behavioral detection rather than signature-only tooling.
- Segment networks and restrict lateral movement paths, particularly between corporate, HR, and finance systems that hold the data categories Play tends to exfiltrate.
- Maintain offline, immutable backups and rehearse restoration end-to-end, including identity systems, to avoid being forced into a ransom decision.
- Monitor leak sites and threat-intel feeds for early signs of listing so legal, communications, and incident response can mobilize before public disclosure.