Everyone should change their password if they have not done so since the update. You should use a unique password just for this website. If you used the same password for other sites, you should change your password on those other sites as well.
SMF does not have a way to force everyone to reset their password. It also does not hash passwords correctly or understand the concept of a salt. To mitigate the problem of old accounts being compromised, I have reset the email activation status of every account that has not made a post within the past 6 months.