Hackers don’t brute force passwords by trying to login to the service over and over again. Instead, what they do is brute force password *hashes*. These hashes can be acquired from database dumps of very large sites. Even if those accounts are for a forum and contain no sensitive data, they can still be useful. The hacker will take a giant list of password hashes and then use a program like John The Ripper along with their GPU to crack the passwords ie turn the hashed passwords back into plain text. The hacker will then take those passwords and emails and check other services to see if you’ve reused the same password for other services that do contain sensitive information like bank credentials.

Also, there are attacks that hit login services but that isn’t brute force. It’s what’s called “cred stuffing”. There are lots of discord forums and dark net sites that traffic in large lists of *already brute-forced or stolen credentials* as well as programs that allow you to use them. The programs will rotate through a giant list of proxies and attempt to login to different services using the list of credentials. The program will then mark the credentials as valid or invalid for each service. If you’ve ever seen people selling super cheap Netflix, OF, Disney Plus, or Spotify accounts this is how those accounts are acquired