Users use the same passwords everywhere. By cross-referencing user passwords through excessive brute force you could find accounts on other sites that link to a user’s personal data.
Is the password personal data?
You have to draw the line of correlation difficultly somewhere.
The term "personally identifiable information" does not occur anywhere within the text of GDPR. GDPR regulates the use of personal data, which is conceptually much broader than PII. Any data that relates to a natural living person is potentially within the scope of GDPR, including data that is insufficient in isolation to identify a natural living person. For example, pseudonymised data from an employee database or medical records may still constitute personal data if it would be possible to reconstruct the identity of that individual by inference, even if all direct identifiers have been removed.
Any piece of information that can be related to someone using supplementary information. Eg. My personnal email address contains my name, so I can be identified direclty; my phone number doesn’t, but my operator and contacts knows who is behind it, so I can be identified indirectly.
