[Update: According to Valve, this exploit has now been fixed. You don’t need to update your Steam client or app because it was a problem with the website.
The problem was an XSS (cross-site scripting) exploit that made use of the My Guides Showcase widget available for profiles. Users found they could insert code into the title section of the widget and it would be executed. These details were kept quiet to minimise the exploit’s impact, but now it’s patched up we all know what went on.
You should still follow the security recommendations below if you think you’ve been affected. Change your password, enable two-factor authentication, check your purchase history.]
A major security flaw has been identified in the Steam community pages, letting malicious hackers redirect you to dodgy pages, perform phishing attacks, buy things using your steam wallet, and do all other dangerous things just by accessing certain pages on the client and site.
The exploit was first identified on the Steam subreddit, and since confirmed by third parties. It affects both user profiles and your own activity feed (the bit you get when you click your username in the client), so stay away from those pages on any device until Valve has resolved the problem.
It is not known for how long this exploit has existed, so it is recommended that you change your Steam password, enable mobile authentication, and triple check your purchase history if you’ve got Steam wallet funds.
The problem has been reported to Valve, and so hopefully it will be resolved as soon as possible. For now, just stick to your library and store pages.