Anything exposed to the net can be hacked/cracked into, it often happens to outfits like Steam because they are the biggest target (gets the hackers the most press/prestige and data). Sounds like Valve had appropriate protections in place and is doing what they can. As many around here know, I am not a fan of the Steam concept at all, I do not approve of a global net-nanny controlling everyone's PC gaming purchases and PC game libraries due to this potential problem and others. No one entity should have the kill switch on the software you pay for and no one should be required to buy a game from one 3rd party DRM service exactly for reasons like this. But I'm not going to criticize them about anything they did wrong as this was bound to happen (and bound to again with potentially more success as the hackers likely learned with this attack) and it appears they had taken appropriate security steps to protect their users as best they could. They are the #1 target for attacks like this and it's just a matter of time.
Developers should -never- force Steam to be used with their software (many don't and let me buy their software direct - Thank You). Offer Steam as an option, but do -not- require it and make sure we can purchase and use your software entirely independent of Steam. This way, we will still have access to the software we pay for, we don't need a permission slip from a 3rd party to use it, no net-nanny has the kill switch to our game library (whether flipped intentionally or unintentionally), and our private payment information isn't all housed in one location as a prime target for thieves. The fault is entirely with the hackers, but the gamer's required dependence on Steam for purchasing and using the games they buy raises the risk for everyone involved while also restricting access and control for the customer. Steam should always be optional, never required, especially for purchasing.