On Christmas day, many Steam users experienced a weird moment: they were viewing the store under someone else’s account. This provided users with the ability to see private information such as billing addresses, email addresses, the last four digits of Steam Guard phone numbers and/or the last two digits of credit card numbers. Valve shut down the store soon after realizing the mistake, but had stayed relatively quiet about what had happened. The Steam Store’s Twitter account did not even address any of the issues, despite having roughly 3.5 million followers that could have been notified, as well as no comment from their Facebook account that has over 4 million likes. Finally, Valve has broken their silence and explained what happened, what they are doing to remedy the situation, and who exactly was affected by the breach of privacy.
In short, it looks like Steam was the subject of a DoS attack between 11:50 and 13:20 PST. A frequent occurrence, they often are able to counter the issue of a DoS attack, but store traffic was over 2000% what it normally is on Christmas morning. This caused caching configurations to change in response to the large amount of traffic. It seems like a series of caching configuration errors happened, creating the ability to see the store page from the perspective of another user. They frequently cite their web caching partner as sharing the blame with Steam, though do not reference who that partner is, which makes it harder to share the blame.
Rest assured though, if you didn’t browse a Steam Store page with your account information or at the checkout within the previously mentioned time frame, then you should be fine. Valve are looking into whose accounts were affected and will contact those users for further steps on what to do. They will be working with their web caching partner to find out whose accounts have been exposed. They do insist that there was not enough information provided to complete a purchase on Steam, so most users should be fine.
Source: Steam News