The guy said brute force but meant credential stuffing.

Basically using an army of remote compromised devices to use known user name password combinations. If they used the same email and password that was found on another compromise, then their account would successfully be logged in first try.