Up to late August Steam has had a bug where it was possible for anyone to grab activation keys for any game on Steam. Fortunately for Valve, a security researcher decided to give Valve a heads-up and report the issue. 

On August 7, Moskowsky reported the issue to Valve via security bounty site HackerOne. While it's not possible to view the details of the exploit in the report, the following description is provided:

Using the /partnercdkeys/assignkeys/ endpoint on partner.steamgames.com with specific parameters, an authenticated user could download previously-generated CD keys for a game which they would not normally have access.

Audit logs were not bypassed using this method, and an investigation of those audit logs did not show any prior or ongoing exploitation of this bug.

This API is accessible using a regular Steam account and takes several parameters, but the ones most relevant are appid (representing the game), keyid (representing the identifier of a set of CD keys), and keycount (representing the number of CD keys that Steam needs to return inside a CD key set). Apparently initially when he found the flaw he was able to generate 36.000 valid keys for Portal 2 but then he realized the full scope of the flaw and that it affected every game on Steam.

Moskowsky says that under normal circumstances when he attempted to retrieve CD keys for games he didn't own, Steam's API gave him an error, which is what's supposed to happen.

Within four days, Valve had fixed the issue and awarded Moskowsky a bounty of $US20,000 A few days later, Moskowsky requested the bug be reported publicly, though it took Valve almost two months to agree, on November 1 it was published. The problem has been plugged.

A Steam Bug Would Let You Get Free Keys For Any Game