One technique is to store another string (a pepper) outside of the database (assuming the salt is stored with the records) which is used along with the salt to encrypt each password. This way, if only the database is compromised, and not the config file or env variable holding the pepper you're in better shape.
Although they theoretically could have, a lot of these hacks are done via SQL Injection, which is a step below having direct access to the machines. You can often leverage SQL injection further to do just that, but it takes more work/luck/skill than just dumping the DB. So it's not a given that they got filesystem access, but we shouldn't assume that they didn't either.