Not necessarily. It depends on the type of hack. It's possible to hack a web server through a PHP exploit (which is what the OIU hack appears to be) without rooting the box. The attacker would never have privileges beyond that of the web server and could not read directories that are inaccessible to the web server. Hidden service private keys are kept in /var/lib/tor, which is read protected and thus limited to root and the tor user (debian-tor on Debian and Ubuntu). The web server user (usually www-data) can't read that folder.