The article mentions that lots of German and French ISPs are being hit, I guess they're going after @orange.fr address and the like?
Gmail is pretty secure, I seriously doubt you can log in to someone's account using just their password if you don't have their usual IP, Geo location, User Agent etc.
EDIT looks like maybe I'm wrong: “It’s just more difficult to get through the Web interface because on a website you have a plethora of advanced authentication controls at your fingertips, including things like device fingerprinting, scanning for http header anomalies, and so on,” Bill said. “But what are the detection signatures you have available for detecting malicious logins via IMAP?”
1. RFC 7628 OAUTHBEARER. Basically your IMAP client has to have a way to obtain OAUTH tokens (e.g. spawn a web browser window first time you log in, that authenticates because it's a web browser, then get it to give you an OAUTH token) and it binds that token to your IMAP login as proof of who you are. Google also supports a non-standard older way to do this. Cheesy "my first IMAP implementation" code can't do this, but several Free Software mail clients do.
2. User goes into Google's security settings, says they agree to suffer worse security, gets "app password" minted by Google, fills that into the IMAP client. They can't use their "real" password which is presumably "password1" so the Pwned list doesn't work on this but it's not great.
But if you never set up any 2FA then it really wouldn't matter. Google's answer for their own employees was just to issue them FIDO Security Keys and mandate 2FA, and that's certainly what I'd endorse if you have money and want security, but their medium term plan is to enforce 2FA setup for users who seem to own e.g. a smartphone.
Gmail is pretty secure, I seriously doubt you can log in to someone's account using just their password if you don't have their usual IP, Geo location, User Agent etc.
EDIT looks like maybe I'm wrong: “It’s just more difficult to get through the Web interface because on a website you have a plethora of advanced authentication controls at your fingertips, including things like device fingerprinting, scanning for http header anomalies, and so on,” Bill said. “But what are the detection signatures you have available for detecting malicious logins via IMAP?”