Seems like no matter how careful I am, I got spoofed. A valid comment came to my email ... looked totally valid it was from someone I ocasionally get emails from, so I trusted it and opened it. I went to my facebook account (to read the comment) and had to sign in - I noticed my email wasn't already in the user id field, so I entered it and my password. This took me to Facebook - but stole my email.
Evidently this was a pfishing attack...it took my email and password went in and sent an email to all my contacts on Facebook - this is creepy stuff.
Be familiar with sign in and Home page stuff, I thought having to put in my email (userid) again was different, I always sign-in. I felt like an idiot, and probably put a lot of people at risk of having their user id and password compromised. SORRY FACEBOOK FRIENDS!! I'm off of there for now, hesitant to go back.