Millions of users have their online accounts compromised every day. Password lists are traded on the dark web, and bad actors use automated processes to try them against lots of accounts and services. Sophisticated phishing attacks attempt to trick you into giving away your password (or the info necessary to reset it) by posing as legitimate services or customer support.
Obviously, the best defense against this sort of thing is to have a different, strong, hard-to-guess password for every single account you own. A good password manager like 1Password, LastPass, or Dashlane is a key component in managing that.
