Glad to see you got your issues sorted out, OP.
[quote name='Oktoberfest']pretty sure there are steam account bruteforcers out there, so maybe you're just unlucky and got hit by them[/QUOTE]
"Steam account bruteforcers"? Ah, no.
Steam passwords can include upper and lower-case characters, numbers, and punctuation (all 32 standard marks found on a US keyboard, if I'm not mistaken). Let's say that someone had a 6-character password (which is quite short, in terms of passwords). If you had some sort of brute forcing system that could somehow test
1,000 passwords per second (which is actually extremely slow in terms of brute forcing; however, I have to imagine that Valve has some sort of security flag that would trip if it saw something like 1,000 attempted logins per second for a given account, which alone makes the entire concept of brute forcing a Steam password completely implausible) within the aforementioned possibility space for a password of that length, it would take
22 years to try all of the possibilities.
Now, if someone's Steam password was a short, common (and commonly spelled) dictionary word, then a dictionary lookup (which is very different from brute forcing, in cracking terms; basically, it's a system that tries a list of predefined words, like those in a dictionary) is a
slightly more plausible method to steal a Steam password, but it would still take
forever, and again, I can't imagine that Valve doesn't have some sort of security in place, that would notice the many thousands of attempts that could take, and flag it as suspicious.
In general, it's practically impossible to steal logins for online services, by brute forcing. The amount of bandwidth alone that it would requite is absolutely
enormous (even if you were only sending a few bytes per attempt, that adds up really fast when you consider that you're undoubtedly dealing with
billions of necessary attempts), and when you look with the amount of time such a thing would take, not to mention the fact that any decent security system would notice such activity, the entire notion quickly moves out of the realm of practical possibility.
Brute forcing, by it's nature, is more or less confined to
local password cracking (for password-protected archives, for instance), if you want to stay something resembling practical. Without having to worry about things like bandwidth concerns and website security systems to alert, you can conceivably test billions of passwords per hour, on a local system (though still, when dealing with passwords of any significant length, you quickly move up to
years of time being necessary).
But brute-forcing internet passwords? Pretty much impossible. Stealing of website and online service passwords is pretty much all done one way: social engineering.
Also Valve should start offering those password generators that banks have so it's pretty much impossible to steal someone's Steam account without physically stealing the password generator.
As I've explained: Any Steam password that's stolen, is pretty much undoubtedly stolen through social engineering.