The company says that approximately 34,000 users were affected by the issue, which was caused by a combination of a denial of service attack and a configuration error. The configuration error was the main culprit, as it affected how Steam cached certain pages, which led to some users receiving cached pages for a different account.
Valve says that the content included on these cached pages ranged from a user's billing address, email address and purchase history, to the last four digits of their Steam Guard phone number, and the last two digits of their credit card number. The cached pages "did not include full credit card numbers, user passwords, or enough data to allow logging in as or completing a transaction as another user."
In what should be a relief to some users, Valve also mentions that if a user did not browse a Steam Store page with their personal information during the time frame which the error occurred, "that information could not have been shown to another user." On top of that, Valve claims that "no unauthorized actions were allowed on accounts beyond the viewing of cached page information."
The configuration error itself arose in response to a denial of serrvice attack that hit the Steam Store on Christmas Day. The attack essentially caused Valve to deploy page caching via a "Steam web caching partner" to reduce the load on their servers, and during "the second wave of this attack", a caching configuration was deployed that "incorrectly cached web traffic for authenticated users."
After the error was identified, which took around 90 minutes, the Steam Store was entirely shut down until the issue could be resolved. According to Valve, "no additional action is required by users" to remain secure while using the Store.