Sorry to post it here, but I have thought may be this way I can bring some attention to what seems to be Google Apps account (and probably any gmail account) security issue.<p>Today somebody tried to retrieve a password from my Google Apps domain admin account and apparently same person tried doing the same for domain of my colleague.<p>Stuff like that is expected to happen from time to time of course, when your website is a potential target for attacks, but what surprised me was the fact, there was no any information on Google Password Reset email (which naturally arrived to my inbox) about the requester. So, I have no other means of tracking potential attacker, but to seat and wait for next attempts.<p>Granted, IP address could be spoofed, but is there any reason why Google would not want to include this in the notification email?..
The problem with this is that people inadvertently send password resets when they forget their account name. This happens all the time. It is a pain because the recipients freak out that someone is trying to break into their account.<p>If that reset message contained the IP address, people who inadvertently sent it to a stranger would complain about the privacy violation.<p>You might catch up some dumb attackers, but in most cases it'll be from a compromised machine or through a proxy.
Another vote for including the IP address.<p>Facebook too. In fact, I think all apps should start displaying the IP addresses of the last FIXNUM attempts to log-in, successful or not.