Play Ransomware Gang Claims Attack on MyPillow, Threatens Data Leak
The Play ransomware group has listed MyPillow, the U.S.-based bedding company founded by election conspiracy theorist Mike Lindell, as an alleged victim. The extortionists added the company to their dark-web leak site on Monday, warning that stolen data including confidential financial records, payroll, client documents, and personal IDs would be released by Friday unless a ransom is paid.
Play did not disclose the volume of exfiltrated data but claimed it encompasses sensitive internal and customer information. MyPillow has not responded to requests for comment.
As of May 2025, the FBI reports that Play has targeted approximately 900 organizations, with its ransomware variant ranking among the top threats to critical infrastructure. The group has a history of high-profile attacks, including the 2023 breach of Swiss government files via IT supplier Xplain and a 2024 intrusion at semiconductor firm Microchip Technology, which incurred $21.4 million in recovery costs.
Security researchers note that Play has employed "EDR killers" to disable endpoint protection during attacks. The group has also been linked to North Korean state-backed hackers.
MyPillow, led by Lindell a prominent supporter of former President Trump’s 2020 election fraud claims and a current Minnesota gubernatorial candidate has faced scrutiny over its founder’s political activities. The ransomware incident adds to the company’s recent challenges.
My Pillow Inc cybersecurity rating report: https://www.rankiteo.com/company/mypillow-inc
Microchip Technology Inc. cybersecurity rating report: https://www.rankiteo.com/company/microchip-technology
"id": "MYPMIC1779819824",
"linkid": "mypillow-inc, microchip-technology",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Bedding/Retail',
'location': 'United States',
'name': 'MyPillow',
'type': 'Company'}],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Confidential financial records',
'Payroll',
'Client documents',
'Personal IDs']},
'description': 'The Play ransomware group has listed MyPillow, the U.S.-based '
'bedding company, as an alleged victim. The extortionists '
'added the company to their dark-web leak site, warning that '
'stolen data including confidential financial records, '
'payroll, client documents, and personal IDs would be released '
'by Friday unless a ransom is paid.',
'impact': {'data_compromised': 'Confidential financial records, payroll, '
'client documents, personal IDs',
'identity_theft_risk': 'High'},
'motivation': 'Extortion',
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'Play'},
'references': [{'source': 'FBI Report'}, {'source': 'Security Researchers'}],
'threat_actor': 'Play Ransomware Group',
'title': 'Play Ransomware Gang Claims Attack on MyPillow, Threatens Data Leak',
'type': 'Ransomware'}