If we decided to do notifications I would expect users to not re-use passwords from other sites. I would also expect that such a service would require a trusted security brand behind it to work.