Note number 5 pointing to this link - »xato.net/passwords/more-top-worst-passwords/
Note that all passwords on this list are from publicly available sources and can be found by anyone. The list does not include the 30 million passwords from the rockyou release because the list does not contain usernames and therefore duplicates with my own list cannot be detected and so they cannot be merged.
From that I would conclude that these are from publicly available leaked/stolen user name and password lists.
I would conclude by saying it doesn't matter how strong your password is, if the entity you are using it with fails to protect it. In reality, it isn't user passwords that are the problem, it is the leaked/stolen passwords that were entrusted to the people requiring a password.--
Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something. ¯ Robert A. Heinlein