Attackers use these lists to test the same login pairs across other high-value sites (banking, crypto, email).