Re: We encourage all customers not to use the same password for multiple sites
With the caveat that I've no idea what happened in this instance, that isn't always a good protection against credential stuffing.
Most attacks will be of the form of the attackers getting a list of usernames (either confirmed if they can enumerate them or a download of what is basically guesses) and will try all of them with 1 - 3 of the most common passwords. The idea is to avoid detection from locking out the accounts or hitting "excessive failed login" thresholds.
If TfL are saying that this is an attack where a list of pwnd email/pw combos from another site have been used in the attack, then thats a different story (and unique UIDs would have helped). But that isn't really credential stuffing (IMHO of course).