What’s the worst that could happen if someone’s account credentials within your organisation fell into a hacker’s hands?

Very wide. Depends on the role and the permissions connected to these credentials. What can be done with them: can you connect, for example, to the internal network through a VPN?

It can go from social engineering, requering more access through the stolen account to accessing the network, gathering data, install software, run a ransomware on shared resources...

As cereal wrote above, a lot of horrible things might happen, but it also depends strongly on what access level does the account have, if only the basic logins, no admin rights and is continuously monitored, some crisis can be averted. If you think that there is even a slight possibility that the credentials were stolen or hacked, it is beneficial to contact your admins and inform them about it. In general, it can lead to destroying organizations databases, corrupting computers, stealing more information and worst case scenario shutting down the organization, although that is a very marginal extreme, it does happen from time to time.

Amongst other things try not writing down any important or in general any passwords on paper, tell your employees always to be aware of what they are doing and clicking and run a strict security inside your business if possible, so you can at least be relatively confident that credentials are safe.