Skip to main content
Emerging ThreatsMalware & Ransomware

MyPillow Targeted in Play Ransomware Attack

Sensitive documents labeled Confidential and Financial scattered on a table in a brightly-lit office setting.

"private and personal confidential data, client documents, budget, payroll, IDs, taxes, finance information"

Those are the categories Play ransomware extortionists claimed to have taken from MyPillow in a dark‑web post that first appeared on the gang's data leak site on Monday, according to a copy of the posting seen by The Register and amplified on social media by threat‑intel firm FalconFeeds. The extortionists did not specify how many gigabytes of data they allegedly stole, but they warned they would publish the material by Friday unless MyPillow’s executives pay the demanded ransom.

What the extortion post alleges and how MyPillow has responded

The anonymous post on Play’s “name‑and‑shame” leak site lists payroll, taxes, IDs and a range of supposedly confidential corporate documents, but offers no precise inventory of files or technical indicators in the public-facing notice. The Register reported the listing and FalconFeeds shared the notice on social channels; The Register’s inquiries to MyPillow received no immediate reply, and the outlet said it would update the story if MyPillow responds.

Play ransomware: scale and operational techniques

Play’s extortion campaign is not an isolated nuisance. As of May 2025 the FBI reported that Play operators had allegedly exploited roughly 900 organizations, and the gang’s ransomware variant “consistently ranks among the top five targeting critical infrastructure,” The Register reported. Cisco Talos’ incident responders told The Register that Play is among the crews that used so‑called “EDR killers” to disable endpoint security products during infections, a technique that complicates detection and containment.

Previous intrusions and concrete costs

The gang’s past intrusions offer a picture of what a MyPillow attack might lead to. Play previously stole about 65,000 Swiss government files after breaching the IT supplier Xplain in 2023, according to the reporting. A year later the group compromised Microchip Technology; the American semiconductor manufacturer told regulators the attack disrupted some business operations and generated $21.4 million in expenses tied to the security incident.

What this means for security teams, the FBI, and MyPillow customers

  • Security teams and technologists: The combination of alleged file types (payroll, IDs, financials) and Play’s reported use of “EDR killers” points to challenges in detection and recovery. Security engineers will watch the leak site for indicators and test endpoint defenses against tampering techniques Play has reportedly used.
  • Policymakers and regulators (including the FBI): The FBI’s prior assessment of Play’s scale — roughly 900 alleged victims as of May 2025 — frames the group as a persistent, high‑impact actor. Regulators monitoring financial disclosures and incident notifications will compare any MyPillow filings to the precedent of Microchip’s public cost reporting.
  • MyPillow customers and corporate leaders: The extortionists’ explicit claim to possess payroll, tax and ID material will be unsettling for employees and customers if substantiated. MyPillow’s executives face the immediate operational decision whether to engage with the extortionists, involve law enforcement, or pursue containment and notification without paying — a choice the company had not publicly explained at the time of The Register’s report.

Play’s posting casts a familiar and uncomfortable light: a public deadline, a sweeping list of allegedly compromised records, and a ransomware crew with a documented history of disruptive intrusions and techniques designed to defeat defenders. For MyPillow the payoff calculus is now more than a matter of dollars; it is a strategic call about disclosure, containment and the company’s next public steps.

The story is continuing; The Register said it would update if MyPillow responds to inquiries. Read the original report here: https://www.theregister.com/cyber-crime/2026/05/26/mypillow-appears-on-play-ransomware-leak-site/5246513