Blab Business
MyPillow Listed by Play Ransomware Group After Alleged Data Breach
When a mattress company’s secrets surface on the dark web, headlines don’t always come from the press. On Thursday, a leak portal operated by the Play ransomware gang—also known as Playcrypt—named Minnesota‑based MyPillow, Inc. as a victim of a cyber‑extortion attack. The attackers claim to have siphoned 9.8 gigabytes of data, including payroll records, financial statements, tax documents, identification data, and internal business files that span a 15‑year period from 2011 to 2026. The group has set a May 31 2026 deadline for the company to contact them before the data is publicly posted.
MyPillow, founded in 2009 by Mike Lindell, has grown from a handful of employees to more than 1,500 and sold over 41 million pillows. Lindell, a prominent supporter of former President Donald Trump, has faced multiple legal challenges over advertising claims. He has repeatedly denied that the company suffered a breach, labeling the Play allegations as politically motivated.
Playfirst emerged in 2022 and has targeted a range of businesses and government entities across North America, South America, and Europe. The gang employs a multi‑extortion model that combines ransomware encryption with the threat of publicly releasing stolen data. In its recent activity, Play has listed several organizations on its dark‑web leak portal, offering a deadline for payment or negotiation.
The data set released by Play contains 11,456 files, covering payroll and tax information that exposes employee Social Security numbers, bank account details, and salary information. Analysts note that the breadth of the data suggests attackers accessed a wide range of internal systems.
Cybersecurity experts point out that Play’s approach reflects a broader shift in ransomware tactics. Rather than relying solely on file encryption, many modern threat actors prioritize data theft and the threat of public disclosure to pressure victims. This strategy can lead to reputational damage, regulatory scrutiny, and legal liabilities, especially when personal data is involved.
Regulators in the United States and the European Union have issued guidance on handling data breaches that involve payroll and tax information. Companies that fail to protect such data may face investigations under the U.S. Privacy Act, the California Consumer Privacy Act, or the UK General Data Protection Regulation and Data Protection Act. While MyPillow has not confirmed the breach, the company’s denial does not preclude potential investigations.
The situation remains unresolved as the deadline approaches. If Play’s threat to publish the data is carried out, it could trigger a cascade of regulatory inquiries and damage to MyPillow’s brand, which has already been subject to public scrutiny over its political activities. The company’s leadership has not yet announced a formal incident response plan or whether it will engage with Play.
In the coming days, stakeholders will monitor whether MyPillow reaches a settlement with Play, whether the data is released, and how the company addresses potential regulatory compliance. The incident underscores the importance of robust cybersecurity defenses and incident response capabilities for companies that handle sensitive employee and financial data.
The outcome of this case will likely influence how other organizations prepare for data‑centric ransomware threats and how regulators enforce data protection obligations in the wake of high‑profile breaches.
MyPillow, founded in 2009 by Mike Lindell, has grown from a handful of employees to more than 1,500 and sold over 41 million pillows. Lindell, a prominent supporter of former President Donald Trump, has faced multiple legal challenges over advertising claims. He has repeatedly denied that the company suffered a breach, labeling the Play allegations as politically motivated.
Playfirst emerged in 2022 and has targeted a range of businesses and government entities across North America, South America, and Europe. The gang employs a multi‑extortion model that combines ransomware encryption with the threat of publicly releasing stolen data. In its recent activity, Play has listed several organizations on its dark‑web leak portal, offering a deadline for payment or negotiation.
The data set released by Play contains 11,456 files, covering payroll and tax information that exposes employee Social Security numbers, bank account details, and salary information. Analysts note that the breadth of the data suggests attackers accessed a wide range of internal systems.
Cybersecurity experts point out that Play’s approach reflects a broader shift in ransomware tactics. Rather than relying solely on file encryption, many modern threat actors prioritize data theft and the threat of public disclosure to pressure victims. This strategy can lead to reputational damage, regulatory scrutiny, and legal liabilities, especially when personal data is involved.
Regulators in the United States and the European Union have issued guidance on handling data breaches that involve payroll and tax information. Companies that fail to protect such data may face investigations under the U.S. Privacy Act, the California Consumer Privacy Act, or the UK General Data Protection Regulation and Data Protection Act. While MyPillow has not confirmed the breach, the company’s denial does not preclude potential investigations.
The situation remains unresolved as the deadline approaches. If Play’s threat to publish the data is carried out, it could trigger a cascade of regulatory inquiries and damage to MyPillow’s brand, which has already been subject to public scrutiny over its political activities. The company’s leadership has not yet announced a formal incident response plan or whether it will engage with Play.
In the coming days, stakeholders will monitor whether MyPillow reaches a settlement with Play, whether the data is released, and how the company addresses potential regulatory compliance. The incident underscores the importance of robust cybersecurity defenses and incident response capabilities for companies that handle sensitive employee and financial data.
The outcome of this case will likely influence how other organizations prepare for data‑centric ransomware threats and how regulators enforce data protection obligations in the wake of high‑profile breaches.
