Hackers write programs that routinely try a single password with many thousands or more of different user IDs. Then the program tries the next password with the same many thousands or more of different user ids. If it waits an amount of time between attempts, many of these will have reset either through a valid login from the real user or a bad password timeout which many systems have. In some cases they may test an account to see if there is a bad password timeout so they know how often their program can try their account list with a new password. Then they sit back and let their program run against that company’s systems and it sends them any valid account password combinations. Even if it only tries one password a day from a list of common passwords, it can try every combination of user id with the 365 most common passwords in a year. If it can do many attempts per account per day it can test that many more. If the is no wrong password attempt lockout, it can try as fast as possible going through hundreds of password attempts every minute.