The bedding company MyPillow has been named by the Play ransomware gang as an alleged victim. Threat actors claim they have exfiltrated confidential corporate data and are threatening public release unless a ransom is paid.
)
MyPillow appears on Play ransomware leak site
The Play ransomware collective, responsible for dozens of high‑profile breaches, posted MyPillow’s name on its public “name‑and‑shame” portal on Monday. The gang gave the company until Friday to meet a ransom demand, warning that it would publish a dump of the stolen files if the deadline is missed.
What the gang claims to have taken
Play’s leak note lists a broad set of data types:
- Private and personal confidential data
- Client documents and contracts
- Budget, payroll and tax records
- Employee IDs and HR files
- Financial statements and transaction logs
The post does not disclose the exact volume of data, but the language mirrors previous Play disclosures that have involved tens of gigabytes of information.
Technical background on Play’s tactics
Play’s ransomware variant has a reputation for disabling endpoint detection and response (EDR) tools. Cisco Talos has documented the group’s use of “EDR killers” that inject code into security agents, rendering them ineffective before the encryption stage begins. The payload then encrypts files with a unique RSA‑2048 key per victim and drops a ransom note that references a Tor‑hosted payment portal.
In the past year the gang has:
| Year | Target | Impact |
|---|---|---|
| 2023 | Swiss government supplier Xplain | ~65,000 files exfiltrated |
| 2024 | Microchip Technology | $21.4 M in remediation costs |
| 2025 | Approx. 900 organizations overall (FBI estimate) | Consistently in top‑5 ransomware families targeting critical infrastructure |
These incidents show a pattern of targeting firms with large amounts of sensitive data and a willingness to threaten public exposure to increase pressure.
Why MyPillow is a tempting target
MyPillow operates a nationwide retail network, an e‑commerce platform, and a sizable payroll system. The company processes thousands of credit‑card transactions daily and stores employee and vendor information in legacy ERP systems that are often difficult to patch. Such an environment provides a rich attack surface for a group that already knows how to bypass endpoint defenses.
Possible response paths for MyPillow
- Negotiation and payment – Paying the ransom may stop the immediate leak but does not guarantee that the data will not be posted later. It also funds the gang’s operations.
- Public disclosure and law‑enforcement involvement – Notifying the FBI and state authorities can trigger a coordinated response, but it may also accelerate the gang’s timeline for publishing the dump.
- Technical containment – Isolate affected network segments, restore from verified backups, and run forensic analysis to identify the initial intrusion vector. Play’s use of EDR‑killers means that traditional logs may be incomplete, so a deep packet capture review is advisable.
- Legal and regulatory action – Depending on the data categories involved (e.g., payroll, tax IDs), MyPillow could face breach notification obligations under state privacy statutes and possibly the FTC’s Safeguards Rule.
What’s next?
The deadline set by Play is Friday, 31 May 2026. If the company does not meet the demand, the gang is expected to post the data on its public leak site, where it can be downloaded by anyone with the link. Observers will be watching the leak page for a file‑hash list that could confirm the scope of the breach.
Contextual note on Play’s broader activity
Play ransomware has been linked to North Korean state‑backed actors in several campaigns, suggesting a hybrid financing model where profits are shared with government‑sponsored groups. The gang’s focus on critical‑infrastructure sectors—including healthcare, semiconductor manufacturing, and now a consumer‑goods company—highlights the expanding definition of “critical” in ransomware economics.
We will update this story if MyPillow or law‑enforcement agencies provide additional details.
Comments
Please log in or register to join the discussion