The "5 million passwords" story is way overblown. Quick summary:
- The list was not taken from google, but other sites who use email address as logins (so if you used a unique password for gmail, you're fine).
- Less than 2% of the passwords would have worked. Affected accounts have been reset/notified and none of the passwords will currently work
Security tips for GMail / Google accounts in general
- Use a strong, unique password
- Keep recovery options (backup phone, email address) up to date at https://accounts.google.com/UpdateAccountRecoveryOptions
- Add 2FA
Other security options: http://g.co/accountcheckup