I know that we cannot update our hashed passwords without having the plain text password to re-hash. When a member logs in with login/password, we have the plain text, so that gives us an opportunity to more securely hash and store the member password.
Does anyone have experience with asking your members to "please come to our site and log in with your real password" without causing mass panic? Any way that I can think of to convey the request sounds like we have had a data breach. We are simply looking at ways to upgrade our security, and Ashley Madison makes it clear that hashed passwords are a point to carefully consider.