Hackers apply stolen data in a flood of login attempts, called "credential stuffing." They target bank accounts, airline miles, and even online grocery sites.