The search giant claims fewer than 2 percent of the leaked username and password combinations might have worked and that Google's anti-hijacking systems would have blocked many of those login attemps. Google says it protected the affected accounts and have required those users to reset their passwords.
It’s important to note that in this case and in others, the leaked usernames and passwords were not the result of a breach of Google systems. Often, these credentials are obtained through a combination of other sources.Source: ARS Technica
For instance, if you reuse the same username and password across websites, and one of those websites gets hacked, your credentials could be used to log into the others. Or attackers can use malware or phishing schemes to capture login credentials.