You have a list of passwords for some place that has been compromised.

You hack shitsecurity.com because they have shit security and discover that the user badpassword@gmail.com has a sha256 encoded password of

ef92b778bafe771e89245b89ecbc08a44a4e166c06659911881f383d4473e94f

You then crack this at home. Using a dictionary attack you learn that the password is (password123)

You then start to try other websites: say goodsecurity.com with the log in of badpassword@gmail.com and password123. Odds are the user reused there password for many websites and that if they have an account on goodsecurity.com you will get in.