Although they theoretically could have, a lot of these hacks are done via SQL Injection, which is a step below having direct access to the machines. You can often leverage SQL injection further to do just that, but it takes more work/luck/skill than just dumping the DB. So it's not a given that they got filesystem access, but we shouldn't assume that they didn't either.
