Reset All User Passwords?

Hi, my largest multisite got hacked - someone managed to upload a .php that ran a script that wrote to existing .htaccess files and added new ones that created browser redirects and flag the user sites as "infected".

Thanks to a great security team (I have a dedicated server with Liquid Web) we found the "problem" pretty quickly but I have no way to know which admin username was actually used to do the injection. According to my Sec team the injection was done via WP-Admin - I have, of course, reset all of the passwords I own but I think it would be prudent to do a force password change on ALL admins - any suggestions?