When a wrong password is used, no email is sent out from my multiple experiments today.
I'm happy to be proven wrong, but I think that what's happening with @tim333 is that master passwords may be all lower cased (for example) before being hashed. Or maybe the password is hashed twice with the first letter upper and lower cased.
Here's what I found from a quick google re: password case:
"This is simply Facebook trying to provide a better user experience for those users who may have Caps Lock enabled, or whose devices automatically capitalize the first letter of the password."
I don't think that's the case. I went back and looked at the auth logs and there are many "failed logins" and one "Login verification email sent", which is the only one I got an email for.
