localhost refers to the machine it’s running on. For example on my own site tomjn.com localhost is 127.0.0.1 as it always is. This doesn’t mean the hacker doesn’t know where to connect, it means the hacker replaces localhost with tomjn.com.
Of course if I have a proxy sitting in front this won’t work, but keep in mind that if the attacker has access to my wp-config.php, that same access would let them do other things on that machine.
So now the attacker has your database details, and they can read wp-config.php. They now have access to everything in your database, and can change anything in your database.
Depending on the security of your install, they can create a user for themselves, log in, upload a plugin via zip with a PHP Shell script, and start issuing commands or use the site as part of a bot net.
They also have your salts and secret keys ( if you don’t have any of these, bad bad bad ), so brute forcing your users passwords becomes significantly easier. They also have access to their emails.
Suffice to say getting wp-config.php is one of the worst things that could happen. Many more things can be done with it but it would take months to type out every possible attack resulting from this.
In the event your wp-config.php is acquired, it’s likely that an automated attack script did it, not an actual person. Change all your details, reset all passwords, and close the hole.