The CEO of BlueToad, Paul DeHart, confirmed to NBC News that the identifiers, known as UDIDs, were taken from his company's databases. Technicians at BlueToad downloaded the list of UDIDs and found a 98 percent correlation between its own data and the leaked list.
"That's 100 percent confidence level, it's our data," DeHart said. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record, and take responsibility for this."
In a statement, Apple confirmed that BlueToad would have access to UDID device names and types, because the company is a registered iOS app developer. But the company also clarified that developers do not have access to user account information, passwords or credit card information.
BlueToad provides digital edition and mobile application support to more than 6,000 different publishers.
The public admission by BlueToad brings to a close the question of where the hacking group "AntiSec" obtained a list of more than 1 million UDIDs that were published online. The group originally said the identifiers were stolen from an FBI laptop, but the bureau publicly denied those claims.
After 1,000,001 UDIDs were published by AntiSec, the group claimed the list was just a small sampling of over 12 million total IDs it had stolen.
Apple also issued a statement on the situation last week, noting that it did not provide any UDIDs to the FBI, and that the FBI or any other organizations did not request such information from Apple. Starting with iOS 6, Apple will introduce a new set of application programming interfaces that will replace the use of UDID, and the company plans to ban the use of UDID.