The loophole was fixed as soon as the issue was known, but in the meantime many users lost control of their accounts, though it does not seem to be large scale despite how simple it was to take them over.
The “bug” allowed ‘hackers’ (for the lack of a better word… asshats maybe?) to gain control of their accounts using no more that the persons username in the “lost password section”. From there, they could reset your password without any need for an email address or verification.
Any accounts using “Steam Guard”, a two factor authentication, were not affected by the bug, and no password data was lost since there was no need for them anyway.
Any users that had “suspicious password changes” between July 21st and July 25th will receive an email with a new password, and it is recommended that users log into Steam and change it as soon as possible.
“To protect users, we are resetting passwords on accounts with suspicious password changes during that period or may have otherwise been affected. Relevant users will receive an email with a new password. Once that email is received, it is recommended that users login to their account via the Steam client and set a new password.
“Please note that while an account password was potentially modified during this period the password itself was not revealed. Also, if Steam Guard was enabled, the account was protected from unauthorized logins even if the password was modified.
“We apologize for any inconvenience.”
So yeah… Check to see if you received any such emails on the off-chance you are one of those affected.
The video below shows the bug in action.