Yes, changing the password should work by itself, if it is actually the same thing as pops up on Google. And it's less of a server-side security flaw as it is a phishing scam designed to obtain peoples' usernames and passwords by tricking them into thinking they're entering their details into legitimate software.