Citation for that please.
What do you think would happen if you threw 100bn passwords/s at a web site?
1. Here you go, it's actually relatively old news that was communicated to the Microsoft partner channel proactively:
Your Pa$$word doesn't matter - Microsoft Tech Community
2. Exact outcome would depend on the website, although a broadly irrelevant question.
Of course they don't tend to blast all 100bn in one go to one destination, in the same way that you wouldn't take a Bugatti Chiron down to the local Tescos at 200mph.
The point here is simply to illustrate how easy it is to attack passwords with modern hardware.
Likewise, if your passwords are compromised on the dark web, they only actually need one. Or to try variants thereof.
You'll see in that article, that 20M+ Microsoft accounts are probed daily for password stuffing, and millions are probed daily with 'password spray' (sometimes 100s of thousands broken a day).
Attackers will however use abstraction layers to distribute the traffic to different places via different paths.
For example, after introducing Azure AD Premium to one client we found that an unknown actor in China had attempted (from various IP addresses) to compromise their sales inbox 1700 times.
These attacks were staged from different locations and every five minutes or so to avoid automated detection or enforcement from Microsoft.
As per my email, OP already has 7 known breached passwords and more than 50 incidences of re-use so really this is a classic example of why passwords are not an immaculate protection mechanism for most systems.
MFA/2FA is in most cases free, and it's known to work in many scenarios and cases, so why not get cracking? (excuse the pun)
