Most hackers don’t hack one specific account: they try to get any account. So instead of trying many passwords on the same account, they try the same password on many accounts. And because accounts have separate lockout counters, they are not getting triggered.

Of course, good websites also count attempts per IP, but a hacker can buy a botnet (a lot of computers infected with a virus) to get a lot of disposable IPs.

When hackers target a specific account, they usually come prepared with a short list of possible passwords – which they could get by hacking the same person on a different website with bad security. That’s why experts recommend you to never use the same password on several websites – if one of them get hacked, they’ll come for all the others too.