There is more than one way to brute force a password. The purpose of a lockout is to prevent this exact type of attack, but if the attacker can get more information they can get around this lockout. Servers *usually* store password using something called a hash which is a “number” that is calculated using an algorithm that cannot be done in reverse, a password can be put through a hash algorithm and the returned hash can be stored. When someone tries to log in the server generates the hash of the password you just typed in and if its the same as the one it has stored you are logged in.

If an attacker gets the password hash database and knows which algorithm they use, they can try to brute force the password without trying to log in to the site. Once they have a password that matches the original hash they can enter that into the site and thee will be able to log in.