I think that one extra step of security would be to have implemented a custom salt for every users password
Each hash has a unique 12-byte salt.
Also, from StackOverflow:
That's the same nonsense I was responding to.
Not all of the passwords in the database leak had that encryption :p
It's impossible to upgrade a user's hash until they log in, since their password isn't known. Those users never logged in since the hash algorithm was upgraded several years ago.
What year did you change the hashing algorithm? From what I saw in the database some users who didn't logon after 2012 were not in it.