Three months ago, Steam acknowledged that they had been hacked on November 6. At the time, they wrote:
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
Now, three months later, they are still investigating, but have notified users that a backup file with encrypted credit card information was “probably” acquired by the hackers. Eurogamer.net has more on the update.