Re: Not Shocked....
Yes, that's standard.
You get their passwords from a compromised site dump, check the password policy and increment as appropriate, plus any other leaked passwords from "the dark web".
Cyber Essentials doesn't require regular password changes for this reason.
Even GCHQ advise against regular password changes as they build false assurance.
Best defence is GOOD user education then MFA (avoid SMS as these can be diverted), after that again, GOOD user education, then a robust password policy, then sub 10 and ideally sub 5 failed attempts before account lockout.
Depending on the value of the account you may want the lockout to need sysadmin level human intervention.