I think I've gone above and beyond the call of duty in getting this straightened out, and that I have no further obligation to help her straighten out her error. I'm not interested in just sweeping the problem under the rug by putting filtering rules in place. Even if I was, it would be difficult or impossible to filter out all of the stuff that's meant for her without possibly also getting stuff that's sent to me.
I clearly don't think it's unethical to unsubscribe from the vendor's promotional email, since it's being sent to my email address. I'm not obligated to receive spam just because someone used my address by mistake.
I don't think it's unethical for me to leave her account in the state that I found it.
I think that changing her mailing address so that shit gets shipped somewhere else is going too far. It's involving a third party (the beverage company) in the mess. I also think ordering stuff using her account, even if it's shipped to her, is way over the line.
Defacing her affiliate website might or might not cross the line for me. If I did something like that, it would be in a constructive way as a way of getting her attention, not a "you've been haxx0rzed" way. (BTW, my email address was a link on her website for a while. I'm not the least bit amused by that.)
Changing her password and canceling her account are gray areas in my mind. I can see arguments for both sides of this one. I probably would have canceled the account a long time ago if I could have figured out how to do it on their website.
Incidentally, I'd be far more inclined to work with her if she answered my email and cooperated with me in getting it straightened out. At this point, I don't even know if the address she gave me is valid-- she never responds to my mail.
(Incidentally, I had a similar situation with PayPal a couple of years ago. Someone opened a PayPal account with this email address, and then used it to pay someone. I just could not convince PayPal that the account had been established fraudulently and that I wanted to kill it. I went several rounds with them on this, and even using the word fraud didn't get through to them. For all I know, that account is still live.)