It's worth noting that as far as I know Steam Guard is active for any user who didn't disable it. Meaning, if someone tries to log in to your Steam account on a device that isn't yours (both via the client and on the website) he'll get a prompt to enter a 4 char long code which is sent to your authorized email address.
So your Steam account is save. Your email address probably isn't a secret anyway. The password is changed in a second.
Which leaves your payment (encrypted) and billing info. Personally I use Click&Buy which requires a separate authorization from me and I'm actually not sure if I have any billing address associated with Steam. So for me this whole thing is just a minor annoyance in changing my password.
Obviously I might treat the obtained user data different from other people.
So your Steam account is save. Your email address probably isn't a secret anyway. The password is changed in a second.
Which leaves your payment (encrypted) and billing info. Personally I use Click&Buy which requires a separate authorization from me and I'm actually not sure if I have any billing address associated with Steam. So for me this whole thing is just a minor annoyance in changing my password.
Obviously I might treat the obtained user data different from other people.