There are people like me who accept friend invites from "random" people, people you might have played with, you can't remember all. There is nothing wrong with accepting friend invites, it won't get you hacked. I have actually accepted what appeared to be "random" invites and turned out to be SAES players or people I played with on other games. You can still get these sort of stuff from people you played with, nothing is guaranteed since you actually don't know the person.
For all of you saying, Steam Guard and email verification, go ahead and enter your steam account on the website since you're so certain you're protected. There are ways around 2FA and email verification if the hacker knows what they're doing. But more simpler, some people use the same email/password or the same password across several plateforms so there is that too.
This was just a friendly advice and maybe a reminder so that you pay attention to these sort of things in the future, take it or leave it, up to you.
edit: also, while I'm not certain, it did not seem like a bot, he had a few games on his account. If it is, it's probably a hacked account or so. Doesn't change anything however, bot or not. I made my point.