Steam is a reference regarding the security matter. But an exploit was accidentally created by the team last update support system, allowing access any account with only username.
Basically, you need only go to the support site, click on "Forgot password", fill your account name and a confirmation code was sent to the email linked to that account. But if you leave blank code entry field and clicked "Continue", you could access the account normally. The error happened last week and was repaired a few minutes later, but only revealed today.
Valve sent a request for password change for anyone with malicious activity on the account. However, there is to worry about, the unique security system Steam, called Steam Guard, do not allow anyone to buy, sell or exchange items or games in the accounts when you enter a new device; the maximum that may have happened is the invader have played a bit playing the games of your account without you knowing. If you fear something, just enter your Steam and disconnect the other devices that are connected to the account, simple as that.
If you received an email requesting the password change, you know why.