What he says here is wrong though:
For nearly an hour, anyone with a Steam account could see random users’ e-mail addresses, phone numbers, and buying histories as well as the last four digits of their credit card numbers, which would be more than enough to steal someone’s Netflix account.
Even without a Steam account, you were able to see all of this (I did).
Having barely paid attention to this when it was happening (main PC was off and I was away), was there anything outside of that list that seemed to be available? I skimmed the Kotaku article but didn't see anything.
As someone who has worked with a lot of sensitive info (namely, web systems that handled payments), those things listed aren't exactly considered super critical data. Last four is kept as a helper to users - your actual, full, CC number is never stored unencrypted or even stored at all - PCI compliance is incredibly strict and not something you screw around with. Hell you can get name and last four off of discarded CC receipts. Having your last four 'stolen' sounds scary but it's basically useless in itself.
Your email and phone is already on the internet somewhere, you've probably listed it somewhere public you forgot about.
The 'Confessions' article that talked about stealing a Netflix account was more of an implication of lousy Netflix security than anything else.
As for the BBB, they're not very trustworthy and shouldn't be your gold standard on a company's quality. They're a business, through and through, not a non-profit watchdog or part of the government. Take their ratings with a grain of salt.
As someone who keeps their Steam profile on Private, doesn't use Facebook, Twitter, etc and is generally fairly cagey with online info, having those bits of data taken doesn't frighten me in the least.
Valve needs to be open and transparent about what happened, what's being done about it, and what concerns people should have, but this isn't the OPM theft or voter records leak by any stretch.
Edit: So reading their response, what could have been taken in a worst case amounted to very little, at worst your billing address/email address, both of which are typically easy to dig up via other means.