Once exposed, identity-holders' personal data can be potent for a long time. While it's common to classify personal data as 'persistent' if it essentially cannot be changed (such as a nation-state identity record like a U.S.A. Social Security number or the address one lived at on January 18, 2017), other types of data can sometimes have a long half-life as well. Personal passwords fit this profile when they aren't adequately protected by both consumers and the sites charged with protection of personal identifying information.
Consider this entry from HaveIBeenPwned.com, describing availability of 164 million LinkedIn user credentials : "In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later (italics added). The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data."
Elsewhere on this same site, research also confirms what I and other consumer security researchers have known to be true. Because individuals often reuse the same passwords across multiple sites, and also sometimes fail to change them or a regular basis, even a 2012 breach of a social networking site can lead to a 2016 or later personal data compromise at banking, payment, online shopping, or sites. This, in turn, can lead to the most damaging forms of identity theft or fraud.