Bluetoad discovered the security breach after David Schuetz, a consultant with mobile security assessment firm Intrepidus Group, informed the company that it might be the source for the leaked UDIDs.

Schuetz started suspecting that the leaked data originated from Bluetoad after finding UDIDs that were listed multiple times in the leaked file and appeared to be linked to the company.

The UDIDs corresponded to devices such as "Bluetoad iPad," "Client iPad BT" and "BT iPad WiFi," and were listed multiple times with different Apple Push Notification Service tokens.

This suggested that those devices were running multiple apps from the same developer -- the developer that was probably the source of the leaked data.

After discovering that Bluetoad is a mobile app developer, Schuetz realized that the listed devices might belong to Bluetoad employees who were testing the company's own apps.