Usually the concern is that a data leak could result in someone getting hold of the hashed password (the scrambled version the service keeps in their database to check you entered the right password).

If someone has the hashed password they can try to guess it and check if they were right as many times as they want on their own computer.

If they find a password that works they can then use it on the real service, or other services you might use the same password for, and get it right on the first try.