It's been a very bad month for ESPs, companies that handle bulk mailings for their clients. Several of them have had internal security breaches, leaking client information, client mailing lists, or both. Many have also seen clients compromised, with the compromised credentials used to send spam. The sequence of events sugests all the ESPs whose clients were compromised were themselves compromised first. (That's how the crooks knew who to attack.)
The Online Trust Alliance published some guidelines, that offer mostly good advice. So what should ESPs do now?