LoginNotify already sends a notification to the user when multiple failed login attempts take place for their account, and since T174492 we are logging failed login attempts. Once T174388 is resolved the user will also see the IP address from which the failed attempt took place. At that point, they can decide to report this to a CheckUser for further investigation. However, this reporting activity can be tremendously enhanced:

• For those who get the notification about failed login attempts visa email, there can be a link that they could click on to "report" this activity. (Something like "Was this you? If not click here to report this for further investigation). The link can have a format like .../wiki/Special:LoginNotify?action=report&id=21bgqklm14w6wmht1r0ztdjgba1vrfs9 and clicking on it can either create an OTRS ticket or a new entry in the logs on Special:LoginNotify (which has to be created). Only CUs will have access to this OTRS ticket or special page. They decide, in accordance with CU Policy and Privacy Policy, whether additional checks are needed or not.
• For those who get the notification within the wiki via Echo, a similar link can be incorporated into the Echo notification itself.

In all these cases, the IP information does not need to be stored in Echo or LoginNotify at all; all of them can simply refer to one or more rows in cu_changes in which the failed login attempt(s) were logged. This way, as soon as the cu_changes rows are purged per data retention policy, the link will disappear from the old Echo notification, the log entry in Special:LoginNotify will disappear, etc.

PS: Credit for the idea goes to Scott and Rob who discussed it first on the cu-l listserv.