@allenJo - You are correct that they wouldn’t be able to guess. But they could deploy a virus or malware that would issue an OS command injection to get a list of tables in your table and email that information back to the host.
That’s one workaround. Another workaround is that the hacker may in fact work for your company or may have once worked there. In that case, they already know where the goods are. That’s why you have to constantly be alert; you almost have to have a SQL injection scanner that works around the clock to block execution commands from external inputs. That’s the only way to be permanently secure in my opinion.