Brute force password hacks are usually piggybacking off of a database hack. Somehow, the database of password hashes got leaked, and is now available to run on another machine. That other machine has no account lock timers on it, so you can try as many passwords as you want. Either that, or there is some vulnerability that prevents the locks from happening, like the one on iPhone 5 and earlier.