I'm not sure about Gmail, but Outlook does, and it's kind of interesting to check out https://account.microsoft.com/security > Sign-in activity and see all the random IPv6 addresses unsuccessfully trying to connect via IMAP. My email was in some random db dump (with a password I didn't reuse) probably a decade ago and apparently people are still trying to cred stuff it.

The article mentions that lots of German and French ISPs are being hit, I guess they're going after @orange.fr address and the like?

Gmail is pretty secure, I seriously doubt you can log in to someone's account using just their password if you don't have their usual IP, Geo location, User Agent etc.

EDIT looks like maybe I'm wrong: “It’s just more difficult to get through the Web interface because on a website you have a plethora of advanced authentication controls at your fingertips, including things like device fingerprinting, scanning for http header anomalies, and so on,” Bill said. “But what are the detection signatures you have available for detecting malicious logins via IMAP?”

if the user has 2FA then GMail needs either

1. RFC 7628 OAUTHBEARER. Basically your IMAP client has to have a way to obtain OAUTH tokens (e.g. spawn a web browser window first time you log in, that authenticates because it's a web browser, then get it to give you an OAUTH token) and it binds that token to your IMAP login as proof of who you are. Google also supports a non-standard older way to do this. Cheesy "my first IMAP implementation" code can't do this, but several Free Software mail clients do.

2. User goes into Google's security settings, says they agree to suffer worse security, gets "app password" minted by Google, fills that into the IMAP client. They can't use their "real" password which is presumably "password1" so the Pwned list doesn't work on this but it's not great.

But if you never set up any 2FA then it really wouldn't matter. Google's answer for their own employees was just to issue them FIDO Security Keys and mandate 2FA, and that's certainly what I'd endorse if you have money and want security, but their medium term plan is to enforce 2FA setup for users who seem to own e.g. a smartphone.

You have to go through a number of extra steps to turn on being able to get your mail outside of gmail. I think most never bother. I believe it is called allow insecure devices.

IIRC, you can log in with external clients, but those clients need to support the embedded google login screen which can ask for 2FA / anything else. If you want to log in with just an email and password then you have to change that setting.

most people dont even need an imap password if using a client like thunderbird. It will juset pop up a webpage to generate an oauth token that it will use.

Enable two-factor authentication and disable app passwords. That should be enough to stop this particular type of scam.

I've gotten notifications from gmail when there were logins from outside the US to my account.

Right...for regular Gmail logins though, or IMAP ones?

You can't just log in via username/password with IMAP anymore. The email client either has to support the google login window or you have to go in to your account and generate a program specific access token for it.

Google does recognize new IMAP logins.

Every time I buy a new device and port my account, I get spam from Google saying, "You're new iPad isn't set up yet without the Gmail app! Get the Gmail app now or you won't be super duper cool!"