And if you want to know how these scripts prioritize their password attempts? Here I'll explain the most common intelligent force method used today, maybe this bit of knowledge will help you not just on CCS, but everywhere.
Before I get into the most likely method used by this script, I'm not going to explain any intelligent algorithms for guessing passwords blindly. You can search for that stuff on your own if you really want to know, but most of them don't work unless you use very common passwords.
This specific method by the attacker employs a datamined method of gathering accounts. What does that mean? Any sites with databases that were poorly secured or hacked, are tested against other sites.
ie: They got your login details somehow on ONE site. So they try to log into other popular sites to see you use the same password.
One way this happens, you use some iOS/Android app that installs and pops up with a notification telling you it needs access to your data to run. Well, that app datamines your activity, sells the stuff to someone who wants to exploit your data. Or you use another high target site/system that heavily relies on datamining for income, like certain aspects of facebook, google/youtube, and any page that uses flash or shared cookies can pull unencrypted account data fairly easily.
How would they know you use CCS? Whatever method used to steal information, stole cookies. Any site with active log-ins uses cookies. OR they used GeoIP, which narrows your general location down through an IP address given out to computers in that area. Being a Chicago site, anyone that is hacked in the chicagoland area might get tested against our system.
So okay, someone got your favorite username combination, and they got your email, and they got a password you like to use.
Guess what? That means some kid in China/South America(not to say it's always them, just the two most common right now as an example) is trying to see if you use that email/username + password elsewhere. Maybe paypal, maybe CCS. And it takes a long time to check passwords across networks, especially by using money transfer services that actively look for this activity. Making it a wasted cause to spook users by letting them know they have your password.
This leads me to CCS and other sites like us. We can either be used for those who want accounts for spam. Or use CCS as a test site, before flagging a bank or paypal(something with real money waiting to be jacked), which could give the thief a second verification on habits to check against their database of login details.
The user then sees that out of 5000 accounts they have from some stollen database, 1000 use the same password for multiple/every site. Or they see 500 are also their netflix logins, and they sell those accounts as a service. Or you have amazon prime, itunes, xbox live, etc. So many ways to skin a cat and make a buck as a cyber criminal.
TL;DR,
then you're a fool, because you're going to learn this lesson the hard way, no matter how easy some service claims to make these steps. But practice good password hygiene.