Cybercriminals are now using a combolists-as-a-service model to sell credential collections to other crooks, which will later use them as part of large scale malicious account takeover attacks targetting both individuals and organizations.
Account takeovers are the result of successful credential stuffing attacks which allow attackers to use credentials obtained from security breaches they orchestrated or from other cybercriminals to try and gain access to accounts registered on other sites.
This specific type of attack uses automatically injects credentials until they are matched to an existing account on the targeted site, which the bad actor can then hijack and use it for his own purposes.