How is Gmail susceptible to brute-force attacks?
For starters, that article misuses terminology.
Whatever vulnerability they may be referring to it seems pretty blatant that it is not "brute force" as that would contradict the premise of that very sentence. As another answer suggested it's possible that some form of social engineering was employed, but in this case any rounds of "guessing" left would not be brute force at all but would be cleverly leveraging known data points.
Additionally, it misidentifies the most likely security failure.
Altogether more likely in the case described in the article is a compromised database on another site. The article specifically allows for this when it says "if it didn’t leak from some other site", implying that his wife does not use unique passwords per site. If you don't use unique passwords1 then all bets are off2 and you cannot blame Google if your Gmail account is compromised3 that all your stuff is only as safe as the weakest site you use—a least-common-denominator approach that is bound to get you int trouble as for any given set of sites it is almost guaranteed that one of them has mishandled user data!
1. You should. Full stop.
2. In addition to (but not in place of) using unique passwords, enabling two-factor authentication would also mitigate against this attack vector.
3. Note again the terminology issue here. A compromised account (as in my usage) is different than a hacked account (as in the article's usage). In the most likely scenario the Gmail account was not hacked—no security measure at Google failed—the attacker was merely able to login with the password they hacked from somewhere else.
Above that paragraph it says:
It’s possible, too, that my wife’s password was simply “guessed,” though in a different way from what laymen might assume. Guessing less often involves social engineering—trying your birthday or your hometown or your relatives’ names—than “brute-force attacks,”
Which is most likely what he was referring to.
In other words, although by most quantitative standards it's a strong password, it is actually made up of two easily guessed words and a number. An attacker might only need to try a few dozen combinations of home town, DOB, pets names, etc. to guess the password.
It's true that attacks other than brute force might be mislabelled brute force, or that the author is talking about brute-forcing against a hashed password hypothetically stolen from Google (you'd very much hope they'd disclose if that happened and force password changes).
However, taking the claim at face value, is it true that:
For reasons too complex to explain here, even some systems, like Gmail’s, that don’t allow intruders to make millions of random guesses at a password can still be vulnerable to brute-force attacks.
The answer is a weak yes, they can be, but it's not an especially fruitful line of attack. It's to do with how "don’t allow intruders to make millions of random guesses" is actually implemented.
Google will (I assume) block you if you make too many failed login attempts from a single IP address. But will it lock an account if too many failed login attempts are made on it? ATMs do that, they eat your card if you get the PIN wrong three times. But in order to even make the attempt you have to have the card itself, so the only people who can do this are you or someone who took your card[*].
If Google were to lock your account after three failed login attempts from anywhere in the world, then there would be a trivial (albeit not typically devastating) DoS attack someone could make against Google accounts: just deliberately make a lot of failed login attempts. Anyone who knows your account name can do this, there's no physical token as a second factor. Thousands or millions of people need to go through the rigamarole and inconvenience of unlocking their account using a phone number or backup email address, or perhaps they lose their accounts entirely due to having no up-to-date second factor registered. This hasn't happened, so it can't be all that easy to get Google to lock someone's account.
I don't know what Google actually does about locking accounts that appear to be under attack, but it's certainly plausible that a system like GMail might tolerate quite a lot of nonsense before locking the account.
So, get yourself a botnet of a few million IP addresses, and you can make a relatively slow brute-force attack if you really want to. The more accounts you have to simultaneously work on, the less attempts you make on each account and the less likely each account is to get locked. Just don't make too many attempts per day from each IP address.
As to whether it's plausible that really happened to the author's wife, I doubt it. It's not a great use of a world-class botnet. But for a fairly weak password, two common English words followed by (let's say) a three-digit number, it's certainly possible that a massively distributed brute-force attack could find it, if someone chose to apply one. But this password is not in the "top thousand most common" that an attacker would run first against each account, before even starting on "two English words and three digits". It's far from the lowest-hanging fruit. So in that sense systems like this can still be vulnerable to a live brute force, but it's not a thing that really happens AFAIK. At any rate, I think it's worth the author sounding a note of caution that relying on a password of this form not to be brute-forced would be complacent, but FUD together with "this margin is too small to contain the proof" isn't ideal ;-)
Furthermore, Google doesn't actually let you log in from an arbitrary IP address any more: neither my hypothetical botnet nor the lads from Lagos described in the article, should be able to log in even if they have the password. Believe me, I've been bitten by this in the past trying to legitimately access Google's various APIs using my own account from virtual servers scattered about the place, never mind what would happen if I tried to use other people's accounts. So even given the risk of password guessing, Google does its best to have a further level of security.
[*] Or someone who cloned your card, if you live in one of those third-world type places that don't have Chip and Pin yet. But if you've cloned someone's credit card in those places, there's way more entertaining things you can do with it than mischievously get it blocked.