MyPillow Listed on Play Ransomware Leak Site, Faces Data Exposure Threat

MyPillow, the US-based bedding brand founded by election conspiracy theorist Mike Lindell, has been listed as a victim on the Play ransomware group's leak site. The gang threatens to publish stolen data by Friday if the company does not pay the ransom demand. The stolen data reportedly includes "private and personal confidential data, client documents, budget, payroll, IDs, taxes, finance information" and more, according to the dark-web post seen by The Register and shared on social media by threat-intel firm FalconFeeds.

Play ransomware is a well-known threat group that has been active since at least 2022. According to the FBI, as of May 2025, Play operators had compromised approximately 900 organizations. The group consistently ranks among the top five ransomware variants targeting critical infrastructure. Play has previously hit high-profile targets such as Microchip Technology and a Swiss government IT supplier, Xplain, from which they stole around 65,000 government files.

The group is known for using sophisticated techniques, including so-called "EDR killers" to disable endpoint security products during their ransomware infections, as reported by Cisco Talos incident responders. North Korean government hackers have also been observed using Play ransomware in their intrusions.

MyPillow has not yet responded to requests for comment. The company is perhaps best known for its founder's political activism; Mike Lindell is a prominent supporter of former President Trump's false claims about the 2020 election and is currently running for governor of Minnesota.

This incident highlights the ongoing threat posed by ransomware groups like Play, which continue to target a wide range of organizations across various sectors. The potential exposure of sensitive data could have significant consequences for MyPillow and its clients.