[throwawhey3]

In cases where OneLogin provisioned third-party accounts for sites that didn't support SAML, they (at least used to) sync your OneLogin password to these third parties. It did not use unique per-site passwords.

If your OneLogin password was "pass123", so was the password for your OneLogin-managed accounts at Google, Salesforce, and so on. I believe but am not certain that this was even the case for some sites that used SAML but required passwords for non-HTTP access. Mail clients accessing Gmail is an example.

I do not know if this is still the case. I suspect it would not be difficult to check.