Your information more than likely didn't come from the Equifax breach.
With the amount of data taken from the breach, dark markets online would see a massive uptick in sales for information on individuals in the United States. That had yet to happen, at least from what can be speculated. Data gathered from fraud specialists, information from the credit beareus, the banks, cyber security experts, etc.
Your information is spread across hundreds of data centers, even thousands if we're speaking on technical terms. Breaches go unannounced or yet to even be discovered.
It's scary to think our data is out there and the ways it can be used are always evolving. Luckily this was a credit card scheme, and it's insured.
Also, don't always believe the fraud departments. Why would he have your license and social if he was going to add himself as an authorized user? Most of the time an authorized user being added fraudulently is an "online account takeover". They simply gain online access to your credit card or bank. Add them as an Auth user. Then send out a card. Usually turnoff notifications to your email. Hope you don't catch it until they get the card in the mail and use it.
If they have your license and ssn they can do loads more. Open checking accounts, run a check fraud scheme for a while. If you're really prepared, you can walk away with $5k doing this. Open new credit cards. More risky because even Credit Karma alerts you of this and usually won't get done in time. All they have to do is provide a legitimate looking utility bill to "fake" any address verification.
Just doesn't sound right that if they got your license and social, they'd skip the Auth user. It's riskier since most companies alert you of new Auth users and will question if it's going to a new address. Sounds like that fraud rep just wanted to get you off the phone and have you take precautions against your identity and used Equifax as an excuse.
You could literally type in your social multiple times and get 2 different results about the status of your information being breached. It was a joke when this all went down.
Regardless of Equifax, your data is somewhere and everyday bad people are finding new ways to get it.
Think of it like this. Your information is constantly being harvested. The people who take this information organize it. Imagine your name with different fields of information from most important to least important
You get my point.... Once they have enough information, they toss it into a pile. A pile with thousands of peoples information that can be sold on the dark market.
Just don't put this all on Equifax. Take more precaution in your data. Equifax is a terrible company and their breach is something everyone will suffer from in years to come. Maybe the data is out there and it just can't be pinned down that it came from the breach.