This doesn’t say that no leak ocurred.

It says the leak was not on Steam’s side. I think OP may have been misled a bit by this.

Crucially it also says the phone numbers were not tied to emails, which is a big difference that does make this much less of a big deal.

The gist of it:

The leak consisted of older text messages that included one-time codes that were only valid for 15-minute time frames and the phone numbers they were sent to. The leaked data did not associate the phone numbers with a Steam account, password information, payment information or other personal data. Old text messages cannot be used to breach the security of your Steam account, and whenever a code is used to change your Steam email or password using SMS, you will receive a confirmation via email and/or Steam secure messages.