Someone discovered a dangerous Steam exploit over the weekend that has since been repaired. When you want to reset your password, Steam sends a code to your email that you then punch in to verify that you should, in fact, be resetting it. While the bug was active, you could just click past that box without filling anything out. Uh-oh.
Valve has some other safeguards in place in case that happens, though, too. Trading is automatically restricted after a password change, and Steam Guard codes were unaffected by the bug, so if you’ve enabled this feature on your account this was only a minor problem, as the ne’er–do–well never saw your password or email address at any point during the process.
Valve released the following statement once the bug was fixed:
To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorised logins even if the password was modified.
We apologise for any inconvenience.
Hopefully this didn’t affect any users in a massive way before it was fixed.