This is an attack called "credential stuffing" and the OWASP page for it has multiple examples of it being used in the real world: https://owasp.org/www-community/attacks/Credential_stuffing .