As others have mentioned, it is true that there are many ways to hack account without interacting with the login page, but bruteforcing is still a thing.

Usually a hacker will use a leaked database of credentials and attempt to use them on login pages on websites.

The website will block after 3 attempts, but how does it know it was the same computer each time? Because you used the same cookie! If you delete your cookie and try again you will have more attempts, guarenteed. After a certain amount of cookie resets, the website will block your ip, and this point, you will need proxies to rotate your ip address.

All hackers do is rotate ip addresses and cookies to appear to be multiple different computers. Advanced security systems can block this using other identifiers and methods, and it gets very complicated… this is my job 🙂