People generally don’t try to get into your account directly. What will happen is that there’s a leak of user data and hashed (sort of like encrypted) passwords, and bad actors will then take this list of passwords, and try to brute force the list, and only once they’ve actually discovered a password in the list, would they then take that password to log in into your account