edit: Well, seems like I was utterly wrong. So, sorry Steam.

I just made a purchase and noticed that, unlike in previous occasions, the payment (via Paypal) went through without me having to log into it and manually approve the payment.
My Paypal password is moderately complex and on top of that I have 2FA enabled. Finally, it is connected to a secondary account where I only have a moderate amount of funds at any given time. All of which I'd wager is a decent level of security.
BECAUSE OF THAT, I don't mind having a weak password for my Steam account, because even if someone hacks Steam, they would have a hard time making purchases with it. Or so I thought, until today.
So, Steam, WTF are you thinking?! I don't know who among your product owners thought this is a good idea but let me tell you, it is not. It's not like everyone here will have all these layers of security set in place.
AT A MINIMUM, this is the kind of functionality for which one would have to manually OPT IN (i.e., you don't get it set by default, but you have to personally allow it in your settings).
And at the very same minimum, I would expect you to revert back on this option, or allow users to opt out (although, again, the opposite should be the norm).