Session cookie stealing is not an unknown thing
We've known for a while that there's malware which copies your entire browser profile and uses it to access accounts belonging to open sessions. Google really should be checking if a session is suddenly accessed from an IP in a different country, asking for the password before allowing certain settings to be changed, and any password change should immediately invalidate all sessions.