FWIW I think everyone needs to put the recent spate of unauthorised account access into perspective. It's highly unlikely that forcing your entire user base to reset their passwords is proportionate.
We have also had dormant accounts on this very forum, some belonging to actual customers, be accessed by an unauthorised third party and we are absolutely not going to be inflicting a mass password reset on everyone.
We are taking it on a case by case basis. For each spammer we identify, where that user appears to have been a long dormant account, belongs to a customer, or has made legitimate posts before, we will simply security lock that account.
It is, I feel, extremely unlikely anything more than a small percentage of your users will be affected, and, on balance, given the likely vector of the attack (a potentially aged data breach from decades gone by), will only likely affect long dormant accounts.
It is my opinion that forcing a password reset on all of your users to prevent what is little more than fairly harmless spam - the kind that we often see every day anyway - is not very user friendly, inconvenient, and likely to cause unnecessary concern.
Making users aware, globally, preferably just via a notice or similar, that they may want to consider changing their password if they reuse passwords from other sites, or they may want to consider two-step verification is the right way forward.
We have also had dormant accounts on this very forum, some belonging to actual customers, be accessed by an unauthorised third party and we are absolutely not going to be inflicting a mass password reset on everyone.
We are taking it on a case by case basis. For each spammer we identify, where that user appears to have been a long dormant account, belongs to a customer, or has made legitimate posts before, we will simply security lock that account.
It is, I feel, extremely unlikely anything more than a small percentage of your users will be affected, and, on balance, given the likely vector of the attack (a potentially aged data breach from decades gone by), will only likely affect long dormant accounts.
It is my opinion that forcing a password reset on all of your users to prevent what is little more than fairly harmless spam - the kind that we often see every day anyway - is not very user friendly, inconvenient, and likely to cause unnecessary concern.
Making users aware, globally, preferably just via a notice or similar, that they may want to consider changing their password if they reuse passwords from other sites, or they may want to consider two-step verification is the right way forward.