App development company Blue Toad has come forward as the likely source of Apple unique device IDs (UDIDs) leaked by hackers last week. In an interview with NBC News, Blue Toad's CEO Paul DeHart says that the company checked the million UDIDs that AntiSec posted against its own database, comparing IDs and other metadata like device names. The correlation was strong enough for a "100 percent confidence level," he says. "It's our data." DeHart declined to specify how the data was taken, citing an ongoing investigation, but he did say it had likely happened in the past two weeks. AntiSec's version of events, by contrast, has the UDIDs taken from an FBI agent's laptop back in March.

Nonetheless, it's not at all clear that Blue Toad was aware of the theft at the time it happened, and it's downplayed the security issues involved. According to NBC, an independent security researcher realized that several devices on AntiSec's list bore names associated with Blue Toad, then contacted the company. Now, Blue Toad says it will not be telling users about the leak directly; it will leave that up to the publishers to which it licenses its services. "I would hate to suggest that [users] need to go out and begin clearing off their device or removing or deleting apps," says DeHart, "just because of the concern that this."

It's still theoretically possible that the data was taken from Blue Toad, posted somewhere else, and then accessed by AntiSec. But in all likelihood, the FBI connection was just a way to get more attention for the story. At this point, what this incident shows is that when mobile apps collect data like UDIDs or address book information, it's not simply an abstract privacy issue. Even if a company is able to "successfully defend against thousands of cyber attacks each day," as Blue Toad claims it does, it's no guarantee that some of the data won't show up online.