An attack that takes a giant list of leaked email-and-password pairs from one breached site and automatically tries them on your login page, betting people reused passwords. Rate limiting on login is the main defense.