What makes you think it has gone to anyone else?
In the past, some malware used the address book from Outlook Express (or any other popular e-mail software like Eudora) to get a list of addresses.
Nowadays I don't know all the ways they grab addresses, but breaking security on websites trying to get customer data may well be one method.
Sending as if it is "from" you is just an easy way to avoid some of the anti-spamming tests which mail services adopt. That anyone else you know got the same e-mail is far from guaranteed.
I just opened a hosting account on a web server and in recent days have had spam sent to an e-mail address only known to clients (not shown anywhere on the website). So glad I have alternative services to use.
I plan a simple test - changing the e-mail address on the new web host just to see if the info is used for spamming. Fortunately I didn't spend more than a couple of quid for the hosting account (I like to have some spare for client e-mail to get to me, a single web/mail server is too common these days and I prefer to have at least 2 and perhaps 2 more as backups so I can be sure to receive business e-mail/ support queries etc).
Of course, now the 'valid' mail address has been sent spam, I will have to decide whether to simply block it after a few months (mail I send out has a different reply address, so it only matters where someone has my old address stored in their address book, and I can send an automatic message that they should use the web form or phone me for the correct e-mail address).