All this assumes the third party service is even hashing their passwords.

To say nothing of the people who drop in a single round of md5 hashing without a salt and then sit back and tell themselves they are smarter than all those idiots still storing plaintext passwords.