Are you building features for phishers?
People expect companies/services to tell them when untoward things could be happening to their accounts: Their account has logged in on a new device Their password has been changed An export of their data was started These examples are things you should probably be notified about. But, if you go overboard with these warnings, you might find phishers triggering them intentionally. A bad security warning Imagine receiving this warning email:...