Re: The other big lesson
"that will be sure to generate an automated email to the owner which will alert them to the compromise"
I don't know about that - my phone pings me (and it even has a bloody persistent notification status icon all just for this, without me having installed anything FFS!) before I even raised my hands from typing the password logging in from a PC Google thinks it doesn't like; even having entered the correct (long!) password at the first try, even from the same geographic area as usual, with an IP that hasn't changed for literally decades, from which it saw me log in numerous times - my browser just don't have its latest and greatest cookie since I purge them at the end of session on this machine...
Somewhat ludicrously, I also get alerted by email, which I'm (as a suspected fraud) free to delete for a "real owner" never to see assuming "he" doesn't have a push-email receiving device and checks his mail the old fashioned way, periodically. So yeah, I'm not sure what if anything more doing stuff like changing a password would trigger, given I see the whole nuclear spectacle for simply logging in from anywhere but home, from the one browser I allow to keep cookies persistently...
Actually it's rather like Google rubber-stamping me on each login (the way some parties/clubs do once you enter) then slamming me against the wall and yelling "who are you and what did you do with the real DropBear?!?" each time I take a shower...