The scenario presented starts with a stolen db. Also it's about recording successful, rather than unsuccessful logins.
Gmail is a good counter-example - it does tell you of your last login but who keeps track of these? You log in from home, from work, from your iPhone, from your friend's wifi, etc.
And you needn't stop there. What if the auditing service is compromised? What if the convenience-inclined user is using the same password at myfancyaudit.com as they are at mydogfriends.com and at their bank? Maybe I'm missing something but it mostly seems like a way of shuffling trust around without significantly improving security.
Its not shuffling around security and neither is it adding any (at least in the crypto sense). Rather, it is a post-mortem way of knowing whether something is wrong. Assume that neither the auditing agency is cracked nor the original service. If your password gets phished and the attacker logs in as you, you will get a notification about it. Then, you can at least do something retroactively (even seconds later if you get a notification on your phone) to prevent further injury instead of finding out weeks later when all the damage is already done.
Gmail is a good counter-example - it does tell you of your last login but who keeps track of these? You log in from home, from work, from your iPhone, from your friend's wifi, etc.
And you needn't stop there. What if the auditing service is compromised? What if the convenience-inclined user is using the same password at myfancyaudit.com as they are at mydogfriends.com and at their bank? Maybe I'm missing something but it mostly seems like a way of shuffling trust around without significantly improving security.