When someone tries to reset our password, be it ourselves or third parties, the IP address of the requestor of the password reset is sent to our inbox with the password reset email. LoginNotify should do the same.
I don't think there would be major privacy concerns as long as its noted where appropriate that trying to login on an account may disclose private data to the owner of that account, if that's not already covered by https://wikimediafoundation.org/wiki/Privacy_policy#To_Protect_You.2C_Ourselves_.26_Others. This will need to be checked with WMF Legal.
Similarly, unsuccessful logins should leave CU traces to prevent abuse, otherwise this feature can become a source of annoyance.
New Notification Data Form
Filling out this form will help developers and product people understand your idea and will provide the information required to implement it. To see examples of the types of answers required, have a look at this sample form. To understand unfamiliar terms, visit the glossary.
- Purpose of the notification: To inform the user about failed login attempts to his account
- Notification name: Unchanged, reusing notification-known-header-login-fail notification from LoginNotify
- What triggers notification?: Login attempts
- "Notice" or "Alert"?: Alert
- Notification type (standard, bundled, expandable bundle): standard, I think (unchanged from the existing notification)
For a single message
- Header: Unchanged
- Body: Added a new body which reads "IP address of the last login attempt: $1" where $1 is replaced with the IP address
For Bundled Messages
- Main, bundling message:
- Subsidiary, bundled message:
- Primary link target: None added
- Primary link label (for email display only): None added
- #1 secondary link target:
- #1 secondary link label:
- #2 secondary link target:
- #2 secondary link label:
- Icon name: Unchanged
- Link to graphic/example: Unchanged