Sometimes the limited number of attempts is on a per connection basis. What this means is that you get three tries from computer 1, but if you connect from computer 2, you get three different tries. So a black hat hacker with command of a huge botnet can try thousands of connections simultaneously.

As others have mentioned, brute force is not a particularly effective means of cracking a system. A far more effective way is phishing. A black hat creates a copy of the website he wants to hack, using the corporations logos etc. Then he tricks the victim into logging into THAT website instead of the real one. The victim blissfully enters their username and password into the black hat’s eager clutches.