But the account is from Jan 2013. Maybe not bcrypt yet. If password was never changed, is there a chance that the used algorithm was weak and crackable, and so in the event of a leak this could actually be a problem?
I'd make sure that it was a legitimate alert by going to (https://myaccount.google.com/security) because there's tons of fake alerts going around, a lot looking quite legitimate. Was the first thing that almost caught me in years.