Hacker knows usernames .. how?


I have had multiple bruteforce attempts to access one of my websites today. Fortunately Defender alerted me to these and i have used IP banning to lock them out (thank you wpmudev!). Looking at the logs i can see the hacker tried various usernames to access the website. It looks like they then cycled through passwords trying to gain access but fortunately they were unable as all the passwords are high strength, and because defender stopped them at 5 failed attempts. My question is, how did the hacker know a list of registered usernames to try? Where would they have got this info? And is it ‘hideable’ to prevent future target attacks?

All plugins and themes etc are up to date.

Thanks in advance