Any account with the abusefilter-private right can perform a query such as
and see the IP address of registered users. Unlike similar requests made through the web interface, this action is not logged at the private details access log, as is required by the CheckUser policy.
It should be noted that at least two admin accounts (and many non-admin accounts) have been recently compromised. If the same attacker were to gain control of a checkuser account, they could obtain IP addresses in batches of 5000 without anyone noticing for a long time. So, perhaps the ability to check abuselog IP addresses via the API could simply be disabled, as a quick fix.