I think so, but should we do that or attempt to reset everyone's passwords?
Did the hacker change the email address on file for each account they hacked? If so, can be pretty annoying to get back in. You should have everyone reset to a stronger password (at least 10 characters, 3 out of the following 4: uppercase, lowercase, digit, and/or special character, stress the importance of not reusing passwords and using random characters or pass phrases if you don't want to use a password manager).
2FA (not to email or phone) is a much better protection in the real world.