They will use a leaked list of millions of username and passwords, then use a botnet to try them all on another website.