The attacker might have access to a lot of computers. This might allow him to reach the limited number of attempts for each computer. Even if there is a limited amount of attempts per account he could try lots of different accounts and hope to guess the password on at least some of them. This might not help him too much but if you have a password which is easy to guess it could be possible to get it this way.

The attacker might also be able to get a copy of the user table in the database somehow. There might be a bug somewhere allowing them to read data from the database, the database might have a copy somewhere they can get it from, there might be an employee of the company or one of the service vendors with access to the database who might be subject to bribery or extortion. Having a copy of the cryptographically hashed password will allow them to circumvent the password attempt limit as they would be validating the passwords themselves. They can even use distributed computing, GPUs or FPGAs to speed up the password validation. Depending on how the hash is implemented they might also be able to try each password for every user at once instead of one user at a time.

They might also have been able to get the password from a different service you use. As a lot of people use the same username and password for all services they are able to log into all of your services even if only one is compromised.

The most common recommendation is therefore to use a password manager, for example 1password or keepass. This will allow you to use a password for just one service and then generate complex unique password for all other services you use.