Many answers here are tackling how attackers use leaks and phishing to accomplish this, but I do want to highlight one frequently used brute force method:

There is a very common attack vector called “password spraying”, which essentially uses a set of common passwords (iloveyou, password123) generic to everyone and/or personalised ones (firstname123, email alias, phone number, etc.) to see what accounts they could get into.

The key is that you can set up password attempt limiting in two ways –
* absolute attempts: no matter who is trying to sign into an account, lock it up after x attempts. This means that if you tried to sign into your account with a wrong password from your phone twice, then from your laptop once, it would lock you out of your account. Many high security financial apps have this.
* relative attempts: they lock your device out, but not the whole account. Websites use information about your device (e.g. from your cookie), session, IP, etc. and just lock you out from that attempt. While this works against manual hack attempts, like your boyfriend trying to log into your messenger account, it doesn’t protect much against automated hackers. All a hacker has to do is reset their proxy to a new location, clear their cookies (both of which can be automated in a matter of milliseconds), and try another set of passwords as part of a new attempt. Most social media accounts that are optimised for access rather than security use versions of this, with varying levels strictness of how they define a new login attempt.

But I’m any case – use good, strong passwords. And don’t use the same one everywhere – some websites are incredibly easy to crack or reverse engineer so your security online becomes dependent on the weakest link.