This is true for existing user with wrong password, but that message would be wrong if the user doesn't exist. In this case, the error clearly would be the username, not the combination user+pass.
The password may be correct for the user (who is a person, and has a password for that service).
Of course the person may have multiple user accounts and he may have given the "wrong" password for the "right" username account, but he may also have given the "right" password for the "wrong" username.