I think that one extra step of security would be to have implemented a custom salt for every users password
Each hash has a unique 12-byte salt.
Also, from StackOverflow:
That's the same nonsense I was responding to.
Not all of the passwords in the database leak had that encryption :p
It's impossible to upgrade a user's hash until they log in, since their password isn't known. Those users never logged in since the hash algorithm was upgraded several years ago.