I saw a bunch of answers that didn’t answer your question.

If a site locks you out, they either have to limit their request per minute low enough to not get locked out (which is ridiculous, and no one ever does)

OR

They found your credentials on a dump and are trying it everywhere. As an example, let’s say target gets hacked and someone gets their user database (which has emails+passwords).

Someone then sells these credential dumps on the black market. Eventually, they end up in public credential dumps (such as ones the ‘haveibeenpwned’ website uses). Either way, ‘hackers’ will take these and blast them to every site they can think of to try to get in.

tl;dr – They don’t try millions of combinations, your user+pass probably got leaked by a garbage website. That or the site got hacked some other way.

P.S. Really, really old or poorly coded websites/applications won’t do lock outs, in which case your question doesn’t apply.

P.P.S. I simplified this, and didn’t elaborate on the examples – which could be clarified to be more accurate. The general idea should help the OP understand what happens.