Much more likely, if you are on a shared host, they simply penetrated the security of the host and/or of the (say, Plesk?) software that you use to maintain the site.   Obviously they have, and have had, full read/write access to the directories.   Unfortunately, on many hosts you will find that you do have read/write access to “your neighbor’s data” if you merely think to try it.   I doubt that this has or had anything to do with the Heartbleed hole.