Do NOT visit the Steam Store
[Update 2: We’ve received comment from a Valve representative, who confirms that a caching bug was responsible for the leak. According to Valve, only cached information was viewable, and no “unauthorized actions” were performed on the affected accounts. The company also claims that no further action is required on the part of the user. Regardless of what Valve says, we urge you to make any possible change to your personal information — as difficult as changing your two-step phone number or PayPal email address might be — in light of these events.]
[Update: According to a post from Steam community moderator KillahInstinct, Valve has fixed the problem. The Steam store is up and running as of this update. KillahInstinct claims that phone numbers and credit cards were censored “as required by law,” but this conflicts with anecdotal reports that claim otherwise.]
According to multiple Steam users on Twitter and NeoGaf (plus a hands-on report from Kotaku), a problem with Steam’s cache gave users access to random accounts. This included phone numbers, payment information, and libraries. Steam has been taken offline as of time of writing, but we still advise caution until the leak has been plugged for certain. We’ll update this story if/when we get comment from Valve.
Some users reported an inability to make any changes to these random accounts, and also could not access their own account to remove their personal information. However, other users reported being able to make purchases, while some good Samaritans are removing personal information.
There is something proactive you can do, however. If you primarily use PayPal as a payment method, you can remove Steam’s access remotely. Just log into PayPal, go to “settings,” click on “preapproved payments,” click “Valve Corp” or “www.steampowered.com.” and cancel the site’s ability to charge your account.
For now, avoid logging into any Steam-related websites. I performed a cursory evaluation of my Steam client (because writing), and my account seems fine, but I’m not going to risk it. Steam analyst Sergey Galyonkin believes the accounts are limited to a select few, but you’re still better off avoiding Steam until the matter is settled.
I can confirm that: Steam gave me access to another person’s account with credit card info and purchase history pic.twitter.com/IzhE4M5sme
— Steam Spy (@Steam_Spy) December 25, 2015