Schuetz started suspecting that the leaked data originated from Bluetoad after finding UDIDs that were listed multiple times in the leaked file and appeared to be linked to the company.
The UDIDs corresponded to devices such as "Bluetoad iPad," "Client iPad BT" and "BT iPad WiFi," and were listed multiple times with different Apple Push Notification Service tokens.
This suggested that those devices were running multiple apps from the same developer -- the developer that was probably the source of the leaked data.
After discovering that Bluetoad is a mobile app developer, Schuetz realized that the listed devices might belong to Bluetoad employees who were testing the company's own apps.
"By the time I went to bed [on Tuesday], I had identified nineteen different devices, each tied to BlueToad in some way," Schuetz wrote Monday in a blog post. "One, appearing four times, is twice named 'Hutch' (their CIO), and twice named 'Paul's gift to Brad' (Paul being the first name of the CEO, and Brad being their Chief Creative Officer). I found iPhones and iPads belonging to their CEO, CIO, CCO, a customer service rep, the Director of Digital Services, the lead System Admin, and a Senior Developer."
Schuetz informed Bluetoad of his findings on Tuesday. The company asked for some time to investigate and confirmed on Friday that it was the source of the leaked data, Schuetz said. The two parties then agreed to make coordinated public disclosures on Monday.
Bluetoad has notified law enforcement about the security breach and is cooperating with their ongoing criminal investigation of the parties responsible, DeHart said.
The company has fixed the vulnerability exploited by the hackers and engaged an independent security assurance company to help it ensure that such an incident doesn't happen again, he said.
"We understand and respect the privacy concerns surrounding the data that was stolen from our system," DeHart said. "BlueToad believes the risk that the stolen data can be used to harm app users is very low."
While some security researchers agree that the privacy risk associated with the leak of Apple UDIDs is low, some claim otherwise.
Some app developers have undisclosed vulnerabilities in their platforms that could allow attackers to extract more user information based on UDIDs, Aldo Cortesi, a security researcher who investigated the privacy risks of UDIDs in the past, said last week. Cortesi called the leak a "privacy catastrophe."
Sign up for Computerworld eNewsletters.