Account take-over if the password was used elsewhere (credential stuffing).
Become a target for Extortion or Blackmail: https://www.troyhunt.com/the-opportunistic-and-empty-threat-...
Edit: Some companies still use birth dates, security questions or social security numbers for identification. If the information is public, any one can identify as that person via a phone call. https://krebsonsecurity.com/?s=SMS&x=10&y=14 https://krebsonsecurity.com/2018/10/voice-phishing-scams-are... https://krebsonsecurity.com/2018/08/hanging-up-on-mobile-in-...