The only way google could have done that was if these 3 combination of things were met:

  1. The person is using a non secure wifi network (public wifi in otherwords…i mean thats basically what you are doing when you dont setup wifi security)
  2. Not only would they need to be doing that but they would also need to be putting in a password into a non-secure site…which is pretty rare these days. (well actually many people still use non-secure email servers)
  3. Would have to be transmitting the information at the time google drove by.

Chances are high that if google obtained a password it was because google drove by a public wifi when a customers email client was connecting to a non ssl pop/imap/smtp server.