Most account hacking issues stem from already released datasets, so they have a big list of all the existing leaks, poke around for where on the internet shares the same usernames / emails / phone numbers, and then tries all the known passwords against those accounts, +- some common variations if a site is too relaxed about its number of attempts,
|