They dont brute force on the site itself, instead they do it on hashed passwords that are leaked in data breaches. Basically whenever you hear in the news that so-and-so website had user data leaked, it means that encrypted versions of the passwords have been leaked. These are traded on the so called dark web and those who have the emcrypted passwords will try different combinations of characters until they find the actual passwords. Thats brute forcing basically