It’s very valid. The password dumps they’re analyzing aren’t based on attackers brute-force, they’re based on attackers breaching sites’ backends and dumping the user databases. Some of these are sites with millions of records, and when you look at credential-stuffing lists (which are aggregate lists of currently-accessible accounts using previously-breached credential pairs), it adds millions more.

Sort this list by year, and you can see there’s tens of millions of leaked passwords in 2025 alone: haveibeenpwned.com/PwnedWebsites