So, if I haven't touched Steam today at all, I should probably keep it that way?
Security breach or not, personal info exposed like this, in particular email addresses, is a VERY serious matter.
I'd trust these guys, so if you're having fun looking up random profiles, maybe don't
Not buying it. Cache-control headers would not give you the authorization to go to other pages in the account. Once you get someone's account page you can go anywhere and (I suppose) change anything. That's not caching and even if it is, it's a colossal security fuck up.