Hackers hack. Sometimes they hack databases and sometimes get people's logins and passwords (along with names, addresses, birthdates, phone numbers, mother's maiden names, etc. ad nauseum).
Since most people are lazy knuckleheads, they use the same passwords - and login names - on every forum, blog, email, YouGoogleTube, TwitFace, bank and pr0n account.
So when the hackers hack some site, they've now got some knucklehead's login/password for every site.
Hacker's generally target big sites, so they can get account data for MILLIONS or BILLIONS (with a B) of knuckleheads.
Then they either sell it, or just give it away by posting it for all the other hackers to use.
Which they certainly do.
https://m.theregister.co.uk/2016/12/19/yourii_hackedii_yahooii_accountii_isii_worthii_00003ii/
This site doesn't have to get hacked for some shady character with very little skill to hijack someone's account. Getting that info from somewhere else will work 90% of the time.
I'm a lazy bastard, but NOT when it comes to passwords. Having spent 12 years as a network engineer and IT consultant with clients like AT&T, Consolidated Edison and Kaiser Permanente - and having root/admin passwords to a lot of heavy iron networks and backbone routers - when it comes to passwords I'm a certified card-carrying fanatic. I have clinically diagnosed "Password OCD".
I used to have to write my own password generators and manually encrypt/decrypt the files where I stored password lists. But no more. There are quite a few "password manager" apps out there now.
I don't use the password managers that store the encrypted password file "on the cloud". This is because I thoroughly understand cloud systems and I don't trust them as far as I can throw them. Hell, I read about some cloud system getting hacked on what seems like a weekly basis.
https://m.theregister.co.uk/2017/07/18/dow_jones_index_of_customers_not_prices_leaks_from_aws_repo/
The password manager I'm using these days is 'Enpass':
https://www.enpass.io/
It's free for up to 20 login/passwords. More than that and you pay. But it's cheap.
It can automatically generate truly monstrous passwords that will give even NSA code-breaking supercomputers fits. Or, if you want to be a knucklehead, you can just manually enter in a password of your own choosing.
It stores the encrypted database file with the login/pass data locally, not on the cloud. So it works even if you can't connect to some cloud somewhere.
It has the option to backup the encrypted database file to Google Drive, Dropbox, or whatever. That's good, because they have ported the app (translated the programming code) to damned near every platform, so it's easy to sync my phone, Windows box, Linux box and whatever so they all have the same master password list when I open up Enpass on whatever device.
It's super easy to just open up Enpass (master password of your own choosing required), then copy the login/password to the clipboard and paste to the login screen of ExPo, online banking or whatever. That's important, since no one, not even a mutant brainiac like me can remember a monster password. (Well... RainMan could probably do it. I can't.)
Listen to these words of wisdom my friends; they were carved on silicon tablets by the net.gods:
"
NEVER USE THE SAME PASSWORD IN TWO DIFFERENT PLACES! IF YOU DO, THE NET.GODS WILL SEND NET.DAEMONS PUNISH YOU FOR YOUR SIN!"