Unfortunately you may to be right. Nearly everything is gpg encrypted, and the massive 33gb zip is a password protected acronis true image file. So far all I have found that isn't encrypted is the web framework (posted on github) and a bunch of marketing documents.

Best practice for this kind of leak is widely distributing encrypted files and then later distributing the key.

or a dead-man's switch release if something happens to the key holder...