There are billions of emails out there track by haveibeenpwned.com. Bad guys are fully weaponized with automation these days and automate complete passwords stuffing campaigns. That's where strong, unique passwords rotated frequently along with MFA will go a long way to protect against these campaigns. I can't tell you how many successful compromises I run across that are due to people using the same email/password combination on multiple sites.