Currently it takes about a week to drop all sessions (ie. log everyone out) on all Wikimedia wikis. If there is a real danger of account theft, that's not a huge help; the scripts needs to be significantly faster.
The reason for the slowness is that a separate database update is done for every user. Changing it to a multi-row operation is not trivial as it would have to set the token field of each row to a different, cryptographically secure value in a replication-safe way (so using built-in random functions is not an option).
For MySQL that could probably be achieved with something like
SET @token := ''; UPDATE globaluser SET gu_auth_token = ( @token := sha1( concat( <salt>, @token ) ) ) WHERE gu_id IN (...);
But it would be nicer to have an explicit "invalid" value for tokens, just like it's done for passwords, and just set all fields to that and let the autoupdate the next time a token is needed.