A digital publishing company named BlueToad has come forward to take responsibility for the leak of a million iOS unique device identifiers (UDIDs) that were previously attributed to an alleged FBI laptop hack. In a number of interviews published Monday, BlueToad apologized to the public for the incident, explaining that hackers had broken into the company's systems in order to steal the file. The company says, however, that it had "nowhere near" the alleged 12 million UDIDs that hacking group AntiSec claims to have in its possession.

According to BlueToad, the company was able to match its own data against the list released by AntiSec last week which, according to an interview with NBC, showed a 98 percent correlation. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this," DeHart told NBC. "I had no idea the impact this would ultimately cause. We're pretty apologetic to the people who relied on us to keep this information secure."

AntiSec claimed last week that it had successfully hacked into an FBI-owned laptop and obtained a list of 12 million UDIDs. The group alleged these were being collected by the FBI for unknown reasons. AntiSec then released the first million of those UDIDs publicly, with the promise that there were plenty more where those came from. Numerous users were able to find their UDIDs on the list—including some journalists and security researchers—but there was skepticism from the beginning that the FBI was actually involved. The FBI itself issued a statement saying it had no evidence of such data collection or a hack. Apple soon followed with its own statement saying the FBI had not requested UDIDs from Apple, and even if it had, Apple would not have handed them over.

As such, it was widely suspected that the list in fact came from a social network of some kind, or some other app that collects user data. As we wrote in our Ask Ars on the topic, the UDID itself is just a string of characters that uniquely identifies a particular iPhone, iPad, or iPod touch—practically every developer that offers apps on the App Store has a list of UDIDs somewhere, and the UDID alone cannot reveal much about you. But many app-makers did collect some personally identifiable information from users—such as names, phone numbers, addresses, and other data—and associated it with their UDIDs. As such, it is possible to de-anonymize a UDID and associate it with other information floating around on the Internet.

This is part of why Apple decided to deprecate the use of UDIDs when it released iOS 5 in October of 2011. Developers were instructed to instead generate a unique identifier that is only accessible by a single app when needed. Apple eventually began rejecting apps that make use of the UDID earlier this year.

"Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID,” Apple spokesperson Natalie Kerris told All Things D.

But just because Apple and its developer network no longer actively use UDIDs to track users, it doesn't mean massive lists of UDIDs aren't still out there in plenty of companies' databases. On Monday, security researcher and self-identified "iOS hacker" David Schuetz published an article outlining how he pinpointed BlueToad as the true origin of the AntiSec list. Schuetz was eventually able to get into contact with BlueToad CIO Hutch Hicken, who said the company was assessing the information and asked for Schuetz' discretion until BlueToad could be sure of the breach.

It now appears as if BlueToad is sure. BlueToad CEO Paul DeHart told both NBC and the New York Times that the company notified law enforcement and Apple about the breach, and said it hired a security firm to audit its systems.

“We decided to come forward to apologize to our customers, partners and the public in general that this got out there,” DeHart told the New York Times. “We face thousands of attacks every day that we’ve been successful at defending. This one happened to get through.”

Some questions still remain, however. DeHart says the company most certainly did not have a list of 12 million UDIDs as originally claimed by AntiSec, and the hacking group has yet to make good on its promise to release a more extensive list. AntiSec has also not commented yet on BlueToad's—not the FBI's—claimed ownership of the leaked file. But Apple has affirmed that the data stolen from BlueToad is typical of what an app developer might have on record.

"As an app developer BlueToad would have access to a user’s device information, such as UDID device name and type," Apple spokesperson Trudy Muller told the Times. She added that developers would not automatically have access to other personal information "unless a user specifically elects to provide that information to a developer."