If Steam stores sensitive information hashed and salted, what is the cause for concern? That the hackers might be able to associate Steam usernames with e-mail addresses?
Information like passwords
may be more heavily encrypted than credit card numbers, in a way.
Essentially, with passwords, one-way encryption is used. You aren't able to convert the encrypted password back in to normal characters. Although, you ARE able to compare other encrypted texts to the encrypted password, to see if it matches. If you ever see a website that sends your password to you when you reset/forgot your password, INSTEAD of literally resetting your password, then it does not use one-way encryption, which is almost always a bad idea.
But, credit card numbers only have to be entered once. Then they are saved in to the database, and automatically reused when need be... obviously without you having to enter your credit card number each time you buy something.
What this means is that the credit card number must use two way encryption. It saves when you enter it the first time, encrypts it - almost certainly heavily, with multiple lengthy random, specific keys, and powerful two-way encryption methods. But, it is still two-way encryption. It is not technically impossible to decrypt, unlike one-way encryption.
This means that, with enough time, computer power, and knowledge of decryption and encryption, a group of hackers could possibly fully decrypt a lot of the info, including the credit card numbers.
Passwords can be brute forced using a random character generator. You can't decrypt one-way encryption, but you can brute force it. Hopefully the encryption on passwords was very strong. In other words, if the password goes through strong two-way encryption and then through one-way encryption, then it would be almost infinitely more difficult to decrypt.
Because you have to first figure out the strong two-way encryption, and then put the result of that through the brute forcer to test comparisons with the one-way encrypted text[passwords]. Because the text's end result is the only thing visible, and it is one-way encrypted, it makes the task of finding the previous two-way encryption nearly impossible.
You may not have to brute force as painstakingly with a two-way encrypted string. It is possible to decrypt, and once you fully successfully decrypt it... that's it. It's fully decrypted and easily readable.
I would imagine, if the hackers do plan to do anything with the data in the database, it would more than likely be decrypting all the credit card numbers, attaching as much personal information(retrieved from the database) as possible to each credit card number, and then selling tons of them in bundles over the 'dark side of the internet'.
The initial implication of the website fkn0wned.com is interesting - see:
The website owners claimed that they had nothing to do with it, despite the above image and the steam forums redirecting to their site (before the forums were shut down).
I would tend to believe them. It would be border-line retarded to link to your own gaming community after committing a huge crime like this. It's a pretty obvious false implication IMO.