MyPillow, a Minnesota-based bedding manufacturer founded by Mike Lindell, has been targeted by a ransomware group. This adds the company to a growing list of organizations that are currently under cyber extortion threats. As a result of the unauthorized access to a broad range of sensitive corporate and personal records, identified as Play, the threat actor claims that payroll data, financial information, tax information, identification information, and internal business files have been exfiltrated.
The claims have attracted attention due to the sensitive nature of the alleged exposed data, even though Lindell has denied the allegations and described them as politically motivated. As a result of this incident, the risks associated with modern ransomware campaigns are evolving, resulting from increased data theft and public exposure, which often accompany or replace traditional file encryption methods.
MyPillow has become increasingly aware that its network has been compromised and its company data has been stolen as further details emerge from the alleged intrusion. It was reported that CEO Mike Lindell dismissed the claims when they first emerged in May 2025, however, the threat actors later released approximately 9.8 gigabytes of data via a dark-web leak portal, a tactic commonly used to pressure organizations unwilling to negotiate ransom.
There are 11,456 files reported in the dataset dating from 2011 through 2026, indicating that historical records of the company have been preserved alongside more recent information about the company.
This exposure indicates that the attackers obtained sensitive operational data, including payroll records and financial transactions, indicating the potential depth of the compromise, as well as raising further concerns about how long unauthorised access will remain within the company's network.
Play's dark-web leak portal revealed the allegations of MyPillow, listing the company among its claimed victims and setting a deadline for public release of purportedly stolen information if ransom negotiations failed. The allegations gained further visibility when MyPillow appeared there.
Ransomware operations are evolving in a broader sense, with attackers increasingly stealing data and threatening to publish it, as opposed to relying solely on file encryption to threaten victims.
In the ransomware ecosystem, data-centric extortion tactics are becoming increasingly popular.
Modern threat groups increasingly prioritize stealing sensitive information over system encryption as a means of disrupting business operations. By leveraging the threat of public disclosure, they are exerting pressure on victims by leveraging the theft of sensitive information. By adopting this approach, organisations become more vulnerable to reputational damage, regulatory scrutiny, legal liabilities, and heightened concerns about employee and customer privacy as a result of an incident.
The lack of verification can lead to unverified claims of data compromise quickly escalating to a broader business risk, prompting questions about the security posture of the organization and the integrity of data that has been entrusted to it from stakeholders, partners, insurers, and regulators.
In addition to the nature of the alleged cyber intrusion, the incident has gained heightened public attention as a result of the company's and its leadership's high profile.
During Mike Lindell's tenure, MyPillow has grown beyond its flagship bedding products to include mattresses, linens, bath products, nutritional supplements, coffee, and snacks.
Since Lindell is a political activist and continues to promote disputed claims regarding the 2020 U.S. presidential election, MyPillow's public profile extends beyond retail. These claims have resulted in multiple legal challenges, making any major development involving the company likely to be of interest to individuals outside the cybersecurity community as well.
The consequences of such an unverified claim of data compromise are that it quickly escalates into a broader business risk, causing stakeholders, partners, insurers, and regulators to inquire about the organization's security posture and the integrity of data entrusted to it. Due to the nature of the alleged cyber intrusion as well as the profile of the company and its management, the incident has heightened public attention.
Since Mike Lindell has become President of MyPillow, it has expanded its product line beyond its bedding offerings to encompass mattresses, linens, bath products, nutritional supplements, coffee, and snack items. Due to Lindell's political activism and ongoing promotion of disputed claims surrounding the 2020 United States presidential election, MyPillow's public profile has extended beyond retail.
A number of legal challenges have been brought against the company for these claims, making any major development involving the company likely to draw attention from outside the cybersecurity community as well.
According to Lindell, political controversy has negatively impacted MyPillow's business, indicating that independent assessments have estimated an estimated $400 million in losses to the company and brand.
Additionally, Lindell indicated that he plans to seek compensation through President Donald Trump's recently instituted $1.8 billion Anti-Weaponization Fund, an initiative that has become the subject of political debate and controversy.
Since several years, MyPillow has had financial difficulties, particularly after major retailers, including Walmart, Kohl's, J.C. Penney, Wayfair, and Bed Bath & Beyond, removed its products from their shelves as a result of the events surrounding January 6. While Lindell has maintained that these decisions were politically motivated, several retailers have indicated that declining consumer demand played a significant role in these decisions.
Due to this, the ransomware claims are coming at a time when the company is already confronting legal disputes, reputational pressure, and broader political controversy.
The ten candidates who seek the Republican nomination to run for Minnesota’s gubernatorial office include Lindell, who will face Senator Amy Klobuchar as the Democratic frontrunner after Governor Tim Walz has decided not to seek another term.
Based on the information reportedly exposed through the leak, it appears as though access has been gained to some of the company's most important financial and personnel records.
It is believed that the breach resulted in the theft of Social Security numbers, tax documentation including W-9 and 1099 forms, payroll records containing employee contact information, bank statements, wire transfer documentation, American Express account statements, vendor billing records, advertising expenditure reports, internal audit documents, budgeting materials from the corporation, and even aviation-related expense logs associated with private aircraft operations.
From a data security and compliance perspective, the breadth of the dataset indicates that the attackers may have accessed systems that contained both administrative and operational information, thus increasing the severity of the incident.
From a data security and compliance perspective, MyPillow has not disclosed how many people were potentially affected, whether external incident-resolution specialists were consulted, or whether identity theft protection services were offered to the affected.
It remains unclear, therefore, how the breach was disclosed, how notifications were carried out, and how the company is conducting remediation efforts.
In addition to the immediate allegations, this incident illustrates an important aspect of cybercrime: access to sensitive information has become just as valuable to threat actors as access to systems. In this case, it is likely that the outcome will be determined not only by what was accessed, but also by what was disclosed.
.jpg "MyPillow Hit by Ransomware Attack as Cyber Threats Intensify")
.jpg)
