General consensus, originated from third-party utility SteamDB, seems to be that Steam information is being cached for users accessing the web store. Users, including our own staff, have seen account information, email addresses, wallet and purchase history, and obfuscated credit card numbers (only the last two digits) of other users when accessing Steam's store. Following initial reports and Valve's own awareness of the issue, the Steam store was taken offline while the company issues a holiday fix.
Valve says that Steam was not hacked and critical CC information “as required by law” is censored and not visible to users. Valve's swift disablement of its store should ensure no actual damage is done to users.