Its owner and operator, Valve, uncovered an intrusion into a user database while investigating a security breach of its discussion forums.
The attackers used login details from the forum hack to access a database that held ID and credit card data.
Valve said that, so far, it had no evidence that credit cards were being misused or Steam accounts abused.
The defacement took place on 6 November and the Steam forums were taken offline when Valve learned of the attack.
At first the firm said the discussion groups were offline for maintenance.
However, a message posted to the front page of the forums by Valve boss Gabe Newell on 10 November has revealed that the sites were shut down because of the defacement.
Valve’s investigation of that incident revealed that the “the intrusion goes beyond the Steam forums”.
The initial investigation showed that the attackers gained access to a Steam database that held “user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information”.
Valve has not said whether this was the full database of Steam’s 35 million active accounts or a subset of that total.
Mr Newell said Valve had no evidence that the encrypted credit card information or personal information on gamers had been taken. However, he added, “we are still investigating”.
He said it had only discovered that a few forum accounts had been compromised and used to carry out the defacement.
But Mr Newell added that all forum users will be required to change their passwords when the discussion site re-opens, which the firm is trying to achieve as quickly as possible.
He advised users to change passwords on other accounts if they are the same as the one used for the Steam forums.
“I am truly sorry this happened, and I apologize for the inconvenience,” concluded Mr Newell.
Steam is a gaming service that lets people buy, download, play and chat about a huge variety of games, only some of which are made by Valve itself.
About 1,500 titles are currently available on Steam including Skyrim, LA Noire and Modern Warfare 3 as well as many independent and free games.
Security expert Paul Ducklin, writing on the blog of security firm Sophos, handed down advice about what to do following the breach.
He said users should change passwords, monitor credit card statements, consider removing card numbers from Valve’s servers and sign up for the Steam Guard security service.
He also urged users to insist businesses take steps to make it much harder for hackers to penetrate their systems and use stolen data.
“Community pressure has persuaded many businesses to improve their password-handling code,” he said.