Several friends and I had our Steam passwords stollen. Lesson I learned was not to have same password to more than one service because gmail account was hijacked too. The perpetrator stopped at changing gmail language to Polish, thank God. But, damage he/she could have done was much greater. It was before "login attempt from unknown location" messages. It was a drag to bring all back but we did it. The lesson also is: joining any online service/site we must accept the risk anything you provide could be stollen at some point and modify our usage phylosophy of these services.