So essentially a lesson to Bitcoin related businesses: Watch your 3rd party dependencies, and load only versioned assets which have to be audited before releases. Don't ever embed something from a remote website that will be updated unless it's a 100% known and trusted source (and even then, know that you're at the will of their security)
My assumption is that Statcounter was embedded via Javascript onto Gate.IOs website. As statcounter was exploited, so was Gate.IOs website (script probably just watched for access to withdrawal page and then attempted to act as the client)
On a side note: The whole 700,000 websites hacked claim is somewhat disingenuous though. Yes, technically, 700,000 websites were "exploited", but the exploit was only targeted at 1 website, and probably didn't even effect any of the other websites at all (although further analysis would probably be required). Hacked somewhat insinuates data losses / exploitation at all websites, which obviously isn't exactly true.
Yeah, it just means 700k websites loaded the script. The malicious part doesn't kick in unless it's loaded on gate.io. This isn't as bad as it's being painted to be.
Yea, I mentioned that as a side note, it's not as bad in general. For Gate.IO, it's quite bad; and the trust from crypto businesses towards StatCounter is going to fold. However, the whole 700k websites number is more or less just an arbitrary number in this case.