An attacker can use a botnet to try to login your site from a list of username/passwords from the latest big data breach.

They will get likely access of a small percentage of those accounts and you have to do damage control.