I’m not sure what method of password storage is used here, but the assumption that some vulnerability in the DB or the webserver may expose data beyond the control of the phpBB software itself may not be out of order.
I have a few spare cycles if throwing bodies at a task like updating an encrypt method and modifying code to allow two password tables to exist (one for users that have not yet updated their PW and another table for users that have updated their PW) might help.
Any word if phpBB was the vector for the attack, or just the victim? In other words, if they got onto the server somehow and downloaded the database that’s different from phpBB being where the vulnerability is.
phpBB3 uses salted passwords. phpBB2 does not, which makes it more vulnerable to dictionary / rainbow attacks once the hashed content is retrieved.