The Mandiant report said that some Snowflake customers declined to use MFA AND had passwords in place for 4+ years[1]. Maybe Snowflake should have pushed for MFA harder but at the end of the day, this is AT&T's fault.
I'd say the blame lies halfway between AT&T and Snowflake. If you let your customers have poor security practices, and you have the power to ensure a heightened security level, you're also partly to blame...
Snowflake also made it hard to have good practices, giving them further culpability. There was no setting for customers to force their entire tenant to enforce MFA. Customers had to depend on each person with access to do the right thing, something that is unlikely to be universally true.
Non-expiring passwords is probably no more or less secure, unless you are a rampantly terrible employer known for setting ablaze every bridge ever to the point of atomic annihilation.
Are you suggesting a disgruntled former employee could use the password and do things? At that point, I have questions. How is the former employee accessing the cloud service? If your cloud is allowing public access without a VPN, then you've done something wrong there. If the former employee is still accessing your VPN, again, you've done something wrong. Many other things still come to mind but point back to you well before password rotation rules.
[1] https://cloud.google.com/blog/topics/threat-intelligence/unc...