Users are creatures of habit, which means they tend to choose obvious passwords and re-use them over multiple sites.
Knowing this, an attacker trying to break into a site will start with guessing the most common passwords, usually trying permutations that vary by case, and adding numeric suffixes. Since leaks of large databases of plain text passwords occur regularly, the hacking community has a large sample size when figuring out what the most common passwords are.
Password lists also come into play when databases of hashed passwords are leaked. An attacker in possession of a large number of password hashes can guess the encryption algorithm, and build a rainbow table, a list of pre-computed hashes for the most common passwords. Unless the passwords are salted, this will allow them to backwards engineer a large number of login credentials, giving them access to the original system.