They were first alerted to the possibility by David Schuetz, a researcher employed by mobile device security consulting firm Intrepidus Group, who took the trouble to analyze the leaked UDIDs and the device names attached to them.
After discovering that a considerable number of devices had names that referenced Blue Toad and seemed to belong to the company's various departments, and after noticing that these devices' UDIDs showed up again and again in the list, he was pretty sure that they could be involved somehow.
He contacted them and shared his research, and the company's CIO asked him to please keep the matter quiet until they had the opportunity to investigate and see whether his theory was correct.
As it turns out, it was. BlueToad's own technicians downloaded the leaked data and compared it to their database, and 98 percent of the entries matched.
"As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this," BlueToad's CEO Paul DeHart shared with NBC.
The investigation discovered that the data had been stolen from the company's servers at some point during the last few weeks, but no details about how it happened have been released.
Schuetz says that the results of his analysis raised more questions. "Was BlueToad really the source of the breach? How did the data get to the FBI (if it really did at all)? Or is it possible this is just a secondary breach, not even related to the UDID leak, and it was just a coincidence that I noticed? Finally, why haven’t I noticed any of their applications in the (very few) lists of apps I’ve received?" he pointed out.
DeHart pointed out that they, of course, can't be sure that once the information was stolen from their servers hasn't ended up on a FBI laptop, but says that one thing they definitely do know is that it didn't contain 12 million UDIDs.
"As an app developer, BlueToad would have access to a user's device information such as UDID, device name and type," Apple spokeswoman Trudy Mullter commented the news. "Developers do not have access to users' account information, passwords or credit card information, unless a user specifically elects to provide that information to the developer."
A debate on whether the leaked information could be misused by attackers is still ongoing, with researchers such as Aldo Cortesi claiming that a UDID can be more than enough for skilled scammers and identity thieves.
Whether that's true or not, there isn't much the users can do about it except being vigilant, as the UDIDs are hard-coded into the devices.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.